Revisions to Where does the packet cloned by iptables-mod-tee go after cloning?

state where it's appearing

edited Nov 24, 2019 at 12:59

39.6k
2
88
134

The packet cloned through TEE, is set to be untracked by conntrack, prevented from being duplicated again, and emitted through the local output part of the routing stack, so first seen by raw/OUTPUT (you can also refer to this Packet flow in Netfilter and General Networking schematic: that would be right after the local process). This would be the same if the duplication was done before (eg in mangle or raw PREROUTING) for a routed packet. This makes it difficult (but not impossible) to receive additional treatment like an additional nat, since it won't be tracked and it's difficult to distinguish it from the original.

Here's an example TRACE (using iptables-legacy's version) capture in a setup similar to OP's of a ping made from 192.168.0.2 to 8.8.8.8: the capture was on the router using iptables -t raw -A OUTPUT -j TRACE. The original routed packet will not appear since it would have to be captured from raw/PREROUTING, thus validating the explanation above telling it's done from output.

TRACE: raw:OUTPUT:policy:2 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1 TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1

The packet cloned through TEE, is set to be untracked by conntrack, prevented from being duplicated again, and emitted through the local output part of the routing stack. This would be the same if the duplication was done before (eg in mangle or raw PREROUTING) for a routed packet. This makes it difficult (but not impossible) to receive additional treatment like an additional nat, since it won't be tracked and it's difficult to distinguish it from the original.

Here's an example TRACE (using iptables-legacy's version) capture in a setup similar to OP's of a ping made from 192.168.0.2 to 8.8.8.8: the capture was on the router using iptables -t raw -A OUTPUT -j TRACE. The original routed packet will not appear since it would have to be captured from raw/PREROUTING, thus validating the explanation above telling it's done from output.

TRACE: raw:OUTPUT:policy:2 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1 TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1

The packet cloned through TEE, is set to be untracked by conntrack, prevented from being duplicated again, and emitted through the local output part of the routing stack, so first seen by raw/OUTPUT (you can also refer to this Packet flow in Netfilter and General Networking schematic: that would be right after the local process). This would be the same if the duplication was done before (eg in mangle or raw PREROUTING) for a routed packet. This makes it difficult (but not impossible) to receive additional treatment like an additional nat, since it won't be tracked and it's difficult to distinguish it from the original.

Here's an example TRACE (using iptables-legacy's version) capture in a setup similar to OP's of a ping made from 192.168.0.2 to 8.8.8.8: the capture was on the router using iptables -t raw -A OUTPUT -j TRACE. The original routed packet will not appear since it would have to be captured from raw/PREROUTING, thus validating the explanation above telling it's done from output.

TRACE: raw:OUTPUT:policy:2 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1 TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1

Post Undeleted by A.B

occurred Nov 24, 2019 at 12:49

just put a simpler trace example fitting OP's

Source Link

edited Nov 24, 2019 at 12:48

A.B

39.6k
2
88
134

Here's an example TRACE (using iptables-legacy's version) of an UDP packet being duplicated usingcapture in a setup similar to OP's TEE rule (and an additional `iptables -t raw -A OUTPUT -j TRACE)of a ping made from 192. In this example168.0.2 to 8.8.8.8: the copy iscapture was on an other interfacethe router using (iptables -t raw -A OUTPUT -j TRACE. The original veth0routed), while it could have been on the same, and there's never been any other rule added in this network namespace than OP's and TRACE, so the TRACE packet will not show all possible hooksappear since it would have to be captured from raw/chains (eg: no filterPREROUTING, no nat):thus validating the explanation above telling it's done from output.

TRACE: raw:OUTPUT:policy:2 IN= OUT=eth2OUT=eth1 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth2 SRC=192168.0.2.13 DST=192DST=8.08.28.128 LEN=33LEN=84 TOS=0x00 PREC=0x00 TTL=64TTL=63 ID=18635ID=39209 DF PROTO=UDP SPT=35223PROTO=ICMP DPT=5555TYPE=8 LEN=13CODE=0 UID=0ID=3070 GID=0SEQ=1 TRACE: mangle:POSTROUTING:rule:1 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: raw:OUTPUT:rulepolicy:1 IN= OUT=veth0OUT=eth1 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: raw:OUTPUT:policy:2 IN= OUT=veth0 SRC=192168.0.2.13 DST=192DST=8.08.28.128 LEN=33LEN=84 TOS=0x00 PREC=0x00 TTL=64TTL=63 ID=18635ID=39209 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:OUTPUT:policy:1 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DFPROTO=ICMP PROTO=UDPTYPE=8 SPT=35223CODE=0 DPT=5555ID=3070 LEN=13SEQ=1 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=veth0OUT=eth1 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth2 SRC=192168.0.2.13 DST=192DST=8.08.28.128 LEN=33LEN=84 TOS=0x00 PREC=0x00 TTL=64TTL=63 ID=18635ID=39209 DF PROTO=UDP SPT=35223 DPT=5555PROTO=ICMP LEN=13TYPE=8 UID=0CODE=0 GID=0ID=3070 SEQ=1

This example might show a way to distinguish the duplicated packet, if it was a locally created packet: while the original shows it was sent by the root account (UID=0) the copy has no uid owner (ie it's "owned" by the kernel), so using the owner match can be useful for locally generated (rather than routed) packets. Still the copy is untracked, so not fit for nat operations (nftables could probably do a stateless nat).

Here's an example TRACE (using iptables-legacy's version) of an UDP packet being duplicated using OP's TEE rule (and an additional `iptables -t raw -A OUTPUT -j TRACE). In this example the copy is on an other interface (veth0), while it could have been on the same, and there's never been any other rule added in this network namespace than OP's and TRACE, so the TRACE will not show all possible hooks/chains (eg: no filter, no nat):

TRACE: raw:OUTPUT:policy:2 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: mangle:POSTROUTING:rule:1 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: raw:OUTPUT:rule:1 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: raw:OUTPUT:policy:2 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:OUTPUT:policy:1 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0

This example might show a way to distinguish the duplicated packet, if it was a locally created packet: while the original shows it was sent by the root account (UID=0) the copy has no uid owner (ie it's "owned" by the kernel), so using the owner match can be useful for locally generated (rather than routed) packets. Still the copy is untracked, so not fit for nat operations (nftables could probably do a stateless nat).

Here's an example TRACE (using iptables-legacy's version) capture in a setup similar to OP's of a ping made from 192.168.0.2 to 8.8.8.8: the capture was on the router using iptables -t raw -A OUTPUT -j TRACE. The original routed packet will not appear since it would have to be captured from raw/PREROUTING, thus validating the explanation above telling it's done from output.

TRACE: raw:OUTPUT:policy:2 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1 TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth1 SRC=192.168.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39209 DF PROTO=ICMP TYPE=8 CODE=0 ID=3070 SEQ=1

Post Deleted by A.B

occurred Nov 24, 2019 at 12:01

add an example and a way to distinguish packet in the specific case of an locally created packet

Source Link

edited Nov 24, 2019 at 10:41

A.B

39.6k
2
88
134

The packet cloned through TEE, is set to be untracked by conntrack, prevented from being duplicated again, and emitted through the local output part of the routing stack. This would be the same if the duplication was done before (eg in mangle or raw PREROUTING) for a routed packet. This makes it difficult (but not impossible) to receive additional treatment like an additional nat, since it won't be tracked and it's difficult to distinguish it from the original.

Here's an example TRACE (using iptables-legacy's version) of an UDP packet being duplicated using OP's TEE rule (and an additional `iptables -t raw -A OUTPUT -j TRACE). In this example the copy is on an other interface (veth0), while it could have been on the same, and there's never been any other rule added in this network namespace than OP's and TRACE, so the TRACE will not show all possible hooks/chains (eg: no filter, no nat):

TRACE: raw:OUTPUT:policy:2 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: mangle:POSTROUTING:rule:1 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: raw:OUTPUT:rule:1 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: raw:OUTPUT:policy:2 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:OUTPUT:policy:1 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0

This example might show a way to distinguish the duplicated packet, if it was a locally created packet: while the original shows it was sent by the root account (UID=0) the copy has no uid owner (ie it's "owned" by the kernel), whileso using the original shows it was sent byowner match can be useful for locally generated (rather than routed) packets. Still the root accountcopy is untracked, so not fit for nat operations (UID=0nftables could probably do a stateless nat).

The packet cloned through TEE, is set to be untracked by conntrack, prevented from being duplicated again, and emitted through the local output part of the routing stack. This would be the same if the duplication was done before (eg in mangle or raw PREROUTING) for a routed packet. This makes it difficult (but not impossible) to receive additional treatment like an additional nat, since it won't be tracked and it's difficult to distinguish it from the original.

Here's an example TRACE (using iptables-legacy's version) of an UDP packet being duplicated using OP's TEE rule (and an additional `iptables -t raw -A OUTPUT -j TRACE). In this example the copy is on an other interface (veth0), while it could have been on the same, and there's never been any other rule added in this network namespace than OP's and TRACE, so the TRACE will not show all possible hooks/chains (eg: no filter, no nat):

TRACE: raw:OUTPUT:policy:2 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: mangle:POSTROUTING:rule:1 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: raw:OUTPUT:rule:1 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: raw:OUTPUT:policy:2 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:OUTPUT:policy:1 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0

This example might show a way to distinguish the duplicated packet, if it was a locally created packet: the copy has no uid owner (ie it's "owned" by the kernel), while the original shows it was sent by the root account (UID=0).

The packet cloned through TEE, is set to be untracked by conntrack, prevented from being duplicated again, and emitted through the local output part of the routing stack. This would be the same if the duplication was done before (eg in mangle or raw PREROUTING) for a routed packet. This makes it difficult (but not impossible) to receive additional treatment like an additional nat, since it won't be tracked and it's difficult to distinguish it from the original.

Here's an example TRACE (using iptables-legacy's version) of an UDP packet being duplicated using OP's TEE rule (and an additional `iptables -t raw -A OUTPUT -j TRACE). In this example the copy is on an other interface (veth0), while it could have been on the same, and there's never been any other rule added in this network namespace than OP's and TRACE, so the TRACE will not show all possible hooks/chains (eg: no filter, no nat):

TRACE: raw:OUTPUT:policy:2 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: mangle:POSTROUTING:rule:1 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0 TRACE: raw:OUTPUT:rule:1 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: raw:OUTPUT:policy:2 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:OUTPUT:policy:1 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=veth0 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth2 SRC=192.0.2.13 DST=192.0.2.12 LEN=33 TOS=0x00 PREC=0x00 TTL=64 ID=18635 DF PROTO=UDP SPT=35223 DPT=5555 LEN=13 UID=0 GID=0

This example might show a way to distinguish the duplicated packet, if it was a locally created packet: while the original shows it was sent by the root account (UID=0) the copy has no uid owner (ie it's "owned" by the kernel), so using the owner match can be useful for locally generated (rather than routed) packets. Still the copy is untracked, so not fit for nat operations (nftables could probably do a stateless nat).

add an example and a way to distinguish packet in the case of an locally created packet

Source Link

edited Nov 24, 2019 at 10:33

A.B

39.6k
2
88
134

Loading

Source Link

answered Nov 24, 2019 at 9:28

A.B

39.6k
2
88
134

Loading

Stack Exchange Network

Return to Answer