leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0b588afdd1
linux/net/ipv6/netfilter
History
Michael Zhou d5608a0578 netfilter: ip6t_NPT: rewrite addresses in ICMPv6 original packet 
Detect and rewrite a prefix embedded in an ICMPv6 original packet that was
rewritten by a corresponding DNPT/SNPT rule so it will be recognised by
the host that sent the original packet.

Example

Rules in effect on the 1:2:3:4::/64 + 5:6:7:8::/64 side router:
* SNPT src-pfx 1:2:3:4::/64 dst-pfx 5:6:7:8::/64
* DNPT src-pfx 5:6:7:8::/64 dst-pfx 1:2:3:4::/64

No rules on the 9🅰️b:c::/64 side.

1. 1:2:3:4::1 sends UDP packet to 9🅰️b:c::1
2. Router applies SNPT changing src to 5:6:7:8::ffef::1
3. 9🅰️b:c::1 receives packet with (src 5:6:7:8::ffef::1 dst 9🅰️b:c::1)
	and replies with ICMPv6 port unreachable to 5:6:7:8::ffef::1,
	including original packet (src 5:6:7:8::ffef::1 dst 9🅰️b:c::1)
4. Router forwards ICMPv6 packet with (src 9🅰️b:c::1 dst 5:6:7:8::ffef::1)
	including original packet (src 5:6:7:8::ffef::1 dst 9🅰️b:c::1)
	and applies DNPT changing dst to 1:2:3:4::1
5. 1:2:3:4::1 receives ICMPv6 packet with (src 9🅰️b:c::1 dst 1:2:3:4::1)
	including original packet (src 5:6:7:8::ffef::1 dst 9🅰️b:c::1).
	It doesn't recognise the original packet as the src doesn't
	match anything it originally sent

With this change, at step 4, DNPT will also rewrite the original packet
src to 1:2:3:4::1, so at step 5, 1:2:3:4::1 will recognise the ICMPv6
error and provide feedback to the application properly.

Conversely, SNPT will help when ICMPv6 errors are sent from the
translated network.

1. 9🅰️b:c::1 sends UDP packet to 5:6:7:8::ffef::1
2. Router applies DNPT changing dst to 1:2:3:4::1
3. 1:2:3:4::1 receives packet with (src 9🅰️b:c::1 dst 1:2:3:4::1)
	and replies with ICMPv6 port unreachable to 9🅰️b:c::1
	including original packet (src 9🅰️b:c::1 dst 1:2:3:4::1)
4. Router forwards ICMPv6 packet with (src 1:2:3:4::1 dst 9🅰️b:c::1)
	including original packet (src 9🅰️b:c::1 dst 1:2:3:4::1)
	and applies SNPT changing src to 5:6:7:8::ffef::1
5. 9🅰️b:c::1 receives ICMPv6 packet with
	(src 5:6:7:8::ffef::1 dst 9🅰️b:c::1) including
	original packet (src 9🅰️b:c::1 dst 1:2:3:4::1).
	It doesn't recognise the original packet as the dst doesn't
	match anything it already sent

The change to SNPT means the ICMPv6 original packet dst will be
rewritten to 5:6:7:8::ffef::1 in step 4, allowing the error to be
properly recognised in step 5.

Signed-off-by: Michael Zhou <mzhou@cse.unsw.edu.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2020-08-28 19:18:48 +02:00
..
ip6_tables.c net: remove sockptr_advance 2020-07-28 13:43:40 -07:00
ip6t_ah.c netfilter: ip6tables: Remove redundant null checks 2020-07-29 20:39:43 +02:00
ip6t_eui64.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ip6t_frag.c netfilter: ip6tables: Remove redundant null checks 2020-07-29 20:39:43 +02:00
ip6t_hbh.c netfilter: ip6tables: Remove redundant null checks 2020-07-29 20:39:43 +02:00
ip6t_ipv6header.c netfilter: move inline nf_ip6_ext_hdr() function to a more appropriate header. 2019-09-13 12:34:09 +02:00
ip6t_mh.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ip6t_NPT.c netfilter: ip6t_NPT: rewrite addresses in ICMPv6 original packet 2020-08-28 19:18:48 +02:00
ip6t_REJECT.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ip6t_rpfilter.c netfilter: Fix rpfilter dropping vrf packets by mistake 2019-07-16 13:16:47 +02:00
ip6t_rt.c netfilter: ip6tables: Remove redundant null checks 2020-07-29 20:39:43 +02:00
ip6t_srh.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ip6t_SYNPROXY.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
ip6table_filter.c netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c. 2020-06-25 00:50:31 +02:00
ip6table_mangle.c netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c. 2020-06-25 00:50:31 +02:00
ip6table_nat.c netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c. 2020-06-25 00:50:31 +02:00
ip6table_raw.c netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c. 2020-06-25 00:50:31 +02:00
ip6table_security.c netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c. 2020-06-25 00:50:31 +02:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile netfilter: x_tables: merge ip and ipv6 masquerade modules 2019-04-11 20:59:29 +02:00
nf_conntrack_reasm.c inet: frags: re-introduce skb coalescing for local delivery 2019-08-08 15:55:10 -07:00
nf_defrag_ipv6_hooks.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
nf_dup_ipv6.c netfilter: drop bridge nf reset from nf_reset 2019-10-01 18:42:15 +02:00
nf_flow_table_ipv6.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nf_log_ipv6.c inet: Use fallthrough; 2020-03-12 15:55:00 -07:00
nf_reject_ipv6.c netfilter: introduce support for reject at prerouting stage 2020-06-30 18:21:02 +02:00
nf_socket_ipv6.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
nf_tproxy_ipv6.c netfilter: nft_tproxy: Fix typo in IPv6 module description. 2019-10-17 12:21:11 +02:00
nft_dup_ipv6.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nft_fib_ipv6.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nft_reject_ipv6.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00