pf rdr + netsed : reinject loop...

Fri Aug 31 10:27:28 PDT 2007

On Friday 31 August 2007 19:12:42 Mel wrote:
> On Friday 31 August 2007 18:27:26 Norberto Meijome wrote:
> > On Fri, 31 Aug 2007 17:40:06 +0200
> >
> > Mel <fbsd.questions at rachie.is-a-geek.net> wrote:
> > > > netsed's output is (part ) :
> > > > ---
> > > > Script started on Fri Aug 31 07:52:12 2007
> > > > [root at localhost /usr/home/luser]# netsed tcp 10101 0 0  s/FOO/BAR
> > > > netsed 0.01b by Michal Zalewski <lcamtuf at ids.pl>
> > > > [*] Parsing rule s/FOO/BAR ...
> > > > [+] Loaded 1 rules...
> > > > [+] Listening on port 10101/tcp.
> > > > [+] Using dynamic (transparent proxy) forwarding.
> > > >
> > > > [+] Got incoming connection from 172.16.82.81:1178 to 127.0.0.1:10101
> > > > [*] Forwarding connection to 127.0.0.1:10101
> > > > [+] Got incoming connection from 127.0.0.1:51337 to 127.0.0.1:10101
> > > > [*] Forwarding connection to 127.0.0.1:10101
> > > > [+] Caught client -> server packet.
> > >
> > > I think you need to figure out what this 'transparent proxy mode' of
> > > netsed does, cause it should under no circumstances forward to
> > > itself...
> >
> > it simply forwards the packet to the dst_ip:dst_port it originally had.
> > But, as Daniel H pointed out, those packets had been rewritten by pf's
> > rdr to go TO netsed's ip:port .... hence netsed wont change anything.  It
> > works fine in non-proxy mode, but as I said in my first msg, that is not
> > an option for me.
>
> OK, I just tried to verify if rdr rewrites dest and indeed it does from
> netsed's point of view (didn't know my machine could go to 100 load and
> still catch SIGINT).
>
> Now I wonder how ftp-proxy(8) ever gets the server address. Time to view
> the source.

Ah, here we go:
/usr/src/contrib/pf/ftp-proxy/util.c:115:
        /*
         * Open the pf device and lookup the mapping pair to find
         * the original address we were supposed to connect to.
         */
        fd = open("/dev/pf", O_RDWR);
        if (fd == -1) {
                syslog(LOG_ERR, "cannot open /dev/pf (%m)");
                exit(EX_UNAVAILABLE);
        }

        if (ioctl(fd, DIOCNATLOOK, &natlook) == -1) {
                syslog(LOG_INFO,
                    "pf nat lookup failed %s:%hu (%m)",
                    inet_ntoa(client_sa_ptr->sin_addr),
                    ntohs(client_sa_ptr->sin_port));
                close(fd);
                return(-1);
        }
        close(fd);

So, in short, netsed needs extra code to deal with pf (and probably others 
since only a linux iptables example is listed in README) and the port 
maintainer should add a warning that transparent proxy mode does not (yet) 
work with pf/ipfw/ipf.

In addition you need write access to /dev/pf :)

-- 
Mel