udp_tproxy.c
/*
* # iptables -t mangle -N DIVERT
* # iptables -t mangle -A PREROUTING -p udp -m socket -j DIVERT
* # iptables -t mangle -A DIVERT -j MARK --set-mark 1
* # iptables -t mangle -A DIVERT -j ACCEPT
* # ip rule add fwmark 1 lookup 100
* # ip route add local 0.0.0.0/0 dev lo table 100
* # iptables -t mangle -A PREROUTING -p udp --dport 9201 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 19201
*
* Tested on RHEL 6
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <string.h>
#include <errno.h>
#include <sys/ioctl.h>
#define MAX_RECV_BUF (1000)
int handle_msg (struct msghdr *msg);
int send_transparently (struct msghdr *msg, struct sockaddr_in *dstaddr);
int main (int argc, char **argv)
{
int s;
short int port;
struct sockaddr_in servaddr;
struct sockaddr_in clntaddr;
int n;
int ret;
struct msghdr msg;
char cntrlbuf[64];
struct iovec iov[1];
char buffer[MAX_RECV_BUF];
char *endptr;
if (argc < 2)
{
printf ("usage: %s <port>\n", argv[0]);
return -1;
}
port = strtol (argv[1], &endptr, 0);
if (*endptr || port <= 0)
{
fprintf (stderr, "invalid port number %s.\n", argv[1]);
return -2;
}
if ((s = socket (AF_INET, SOCK_DGRAM, 0)) < 0)
{
fprintf (stderr, "error creating listening socket.\n");
return -3;
}
n=1;
setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &n, sizeof(n));
setsockopt(s, SOL_SOCKET, SO_BROADCAST, &n, sizeof(n));
n=1;
ret = setsockopt (s, SOL_IP, IP_TRANSPARENT, &n, sizeof(int));
if (ret != 0)
{
fprintf (stderr, "error setting transparency for listening socket. err (#%d %s)\n", errno, strerror(errno));
close (s);
return -4;
}
n=1;
ret = setsockopt (s, IPPROTO_IP, IP_RECVORIGDSTADDR, &n, sizeof(int));
if (ret != 0)
{
fprintf (stderr, "error setting the listening socket to IP_TRANSPARENT. err (#%d %s)\n", errno, strerror(errno));
close (s);
return -5;
}
memset (&servaddr, 0, sizeof (servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl (INADDR_ANY);
servaddr.sin_port = htons (port);
if (bind (s, (struct sockaddr *) &servaddr, sizeof (servaddr)) < 0)
{
fprintf (stderr, "error calling bind()\n");
return -6;
}
while (1)
{
msg.msg_name = &clntaddr;
msg.msg_namelen = sizeof(clntaddr);
msg.msg_control = cntrlbuf;
msg.msg_controllen = sizeof(cntrlbuf);
iov[0].iov_base = buffer;
iov[0].iov_len = sizeof (buffer);
msg.msg_iov = iov;
msg.msg_iovlen = 1;
ret = recvmsg (s, &msg, 0);
if (ret <= 0)
{
fprintf (stderr, "error calling recvmsg(). err (#%d %s)\n", errno, strerror(errno));
break;
}
msg.msg_iov[0].iov_len = ret;
handle_msg (&msg);
}
close (s);
return 0;
}
int handle_msg (struct msghdr *msg)
{
struct sockaddr_in *clntaddr;
struct sockaddr_in dstaddr={0,};
struct cmsghdr *cmsg;
int ret;
int found=0;
clntaddr = msg->msg_name;
printf ("recvd msg from %X:%d\n", clntaddr->sin_addr.s_addr, clntaddr->sin_port);
/* get original destination address */
for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg))
{
if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVORIGDSTADDR)
{
memcpy (&dstaddr, CMSG_DATA(cmsg), sizeof (struct sockaddr_in));
dstaddr.sin_family = AF_INET;
printf ("original dst address %X:%d\n", dstaddr.sin_addr.s_addr, dstaddr.sin_port);
found = 1;
}
}
if (! found)
{
return -1;
}
ret = send_transparently (msg, &dstaddr);
if (ret <= 0)
{
return -2;
}
return 0;
}
int send_transparently (struct msghdr *msg, struct sockaddr_in *dstaddr)
{
int d;
int n;
int ret;
if (msg == NULL || dstaddr == NULL)
{
return -1;
}
d = socket (AF_INET, SOCK_DGRAM, 0);
if (d == -1)
{
fprintf (stderr, "error creating socket (#%d %s)\n", errno, strerror(errno));
return -2;
}
n=1;
ret = setsockopt (d, SOL_IP, IP_TRANSPARENT, &n, sizeof(int));
if (ret != 0)
{
fprintf (stderr, "error setting transparency towards destination. err (#%d %s)\n", errno, strerror(errno));
close (d);
return -3;
}
ret = bind (d, (struct sockaddr *)msg->msg_name, sizeof (struct sockaddr_in));
if (ret != 0)
{
fprintf (stderr, "error binding to client . err (#%d %s)\n", errno, strerror(errno));
close (d);
return -4;
}
ret = sendto (d, msg->msg_iov[0].iov_base, msg->msg_iov[0].iov_len, 0, (struct sockaddr *)dstaddr, sizeof (*dstaddr));
if (ret <= 0)
{
fprintf (stderr, "error sending to detination. err (#%d %s)\n", errno, strerror(errno));
close (d);
return -5;
}
close (d);
return 0;
}
/*
* # iptables -t mangle -N DIVERT
* # iptables -t mangle -A PREROUTING -p udp -m socket -j DIVERT
* # iptables -t mangle -A DIVERT -j MARK --set-mark 1
* # iptables -t mangle -A DIVERT -j ACCEPT
* # ip rule add fwmark 1 lookup 100
* # ip route add local 0.0.0.0/0 dev lo table 100
* # iptables -t mangle -A PREROUTING -p udp --dport 9201 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 19201
*
* Tested on RHEL 6
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <string.h>
#include <errno.h>
#include <sys/ioctl.h>
#define MAX_RECV_BUF (1000)
int handle_msg (struct msghdr *msg);
int send_transparently (struct msghdr *msg, struct sockaddr_in *dstaddr);
int main (int argc, char **argv)
{
int s;
short int port;
struct sockaddr_in servaddr;
struct sockaddr_in clntaddr;
int n;
int ret;
struct msghdr msg;
char cntrlbuf[64];
struct iovec iov[1];
char buffer[MAX_RECV_BUF];
char *endptr;
if (argc < 2)
{
printf ("usage: %s <port>\n", argv[0]);
return -1;
}
port = strtol (argv[1], &endptr, 0);
if (*endptr || port <= 0)
{
fprintf (stderr, "invalid port number %s.\n", argv[1]);
return -2;
}
if ((s = socket (AF_INET, SOCK_DGRAM, 0)) < 0)
{
fprintf (stderr, "error creating listening socket.\n");
return -3;
}
n=1;
setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &n, sizeof(n));
setsockopt(s, SOL_SOCKET, SO_BROADCAST, &n, sizeof(n));
n=1;
ret = setsockopt (s, SOL_IP, IP_TRANSPARENT, &n, sizeof(int));
if (ret != 0)
{
fprintf (stderr, "error setting transparency for listening socket. err (#%d %s)\n", errno, strerror(errno));
close (s);
return -4;
}
n=1;
ret = setsockopt (s, IPPROTO_IP, IP_RECVORIGDSTADDR, &n, sizeof(int));
if (ret != 0)
{
fprintf (stderr, "error setting the listening socket to IP_TRANSPARENT. err (#%d %s)\n", errno, strerror(errno));
close (s);
return -5;
}
memset (&servaddr, 0, sizeof (servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl (INADDR_ANY);
servaddr.sin_port = htons (port);
if (bind (s, (struct sockaddr *) &servaddr, sizeof (servaddr)) < 0)
{
fprintf (stderr, "error calling bind()\n");
return -6;
}
while (1)
{
msg.msg_name = &clntaddr;
msg.msg_namelen = sizeof(clntaddr);
msg.msg_control = cntrlbuf;
msg.msg_controllen = sizeof(cntrlbuf);
iov[0].iov_base = buffer;
iov[0].iov_len = sizeof (buffer);
msg.msg_iov = iov;
msg.msg_iovlen = 1;
ret = recvmsg (s, &msg, 0);
if (ret <= 0)
{
fprintf (stderr, "error calling recvmsg(). err (#%d %s)\n", errno, strerror(errno));
break;
}
msg.msg_iov[0].iov_len = ret;
handle_msg (&msg);
}
close (s);
return 0;
}
int handle_msg (struct msghdr *msg)
{
struct sockaddr_in *clntaddr;
struct sockaddr_in dstaddr={0,};
struct cmsghdr *cmsg;
int ret;
int found=0;
clntaddr = msg->msg_name;
printf ("recvd msg from %X:%d\n", clntaddr->sin_addr.s_addr, clntaddr->sin_port);
/* get original destination address */
for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg))
{
if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVORIGDSTADDR)
{
memcpy (&dstaddr, CMSG_DATA(cmsg), sizeof (struct sockaddr_in));
dstaddr.sin_family = AF_INET;
printf ("original dst address %X:%d\n", dstaddr.sin_addr.s_addr, dstaddr.sin_port);
found = 1;
}
}
if (! found)
{
return -1;
}
ret = send_transparently (msg, &dstaddr);
if (ret <= 0)
{
return -2;
}
return 0;
}
int send_transparently (struct msghdr *msg, struct sockaddr_in *dstaddr)
{
int d;
int n;
int ret;
if (msg == NULL || dstaddr == NULL)
{
return -1;
}
d = socket (AF_INET, SOCK_DGRAM, 0);
if (d == -1)
{
fprintf (stderr, "error creating socket (#%d %s)\n", errno, strerror(errno));
return -2;
}
n=1;
ret = setsockopt (d, SOL_IP, IP_TRANSPARENT, &n, sizeof(int));
if (ret != 0)
{
fprintf (stderr, "error setting transparency towards destination. err (#%d %s)\n", errno, strerror(errno));
close (d);
return -3;
}
ret = bind (d, (struct sockaddr *)msg->msg_name, sizeof (struct sockaddr_in));
if (ret != 0)
{
fprintf (stderr, "error binding to client . err (#%d %s)\n", errno, strerror(errno));
close (d);
return -4;
}
ret = sendto (d, msg->msg_iov[0].iov_base, msg->msg_iov[0].iov_len, 0, (struct sockaddr *)dstaddr, sizeof (*dstaddr));
if (ret <= 0)
{
fprintf (stderr, "error sending to detination. err (#%d %s)\n", errno, strerror(errno));
close (d);
return -5;
}
close (d);
return 0;
}
This comment has been removed by the author.
ReplyDelete