none
Redirecting TCP to loop back interface

    Question

  • Hi,

    in a callout for OUTBOUND_TRANSPORT_V4 i will redirect the TCP connection to 127.0.0.1. FwpsInjectTransportSendAsync0 returns with STATUS_SUCCESS, but the Completion-function has (status member of Netbufferlist) STATUS_INVALID_ADDRESS_COMPONENT as result.

    Everything works ok, if i use the DHCP-assigned address of the LAN interface instead of 127.0.0.1.

    FwpsInjectTransportSendAsync0  has a parameter "compartmentId", which is the identifier of the routing compartment. I believe the id taken from the classify function does not match to the loop back interface, so how can i get the compartmentId for the loop back interface? I don't like the idea to catch this id in a different callout, and store it in my driver for later use.

    If i'm totally wrong, any hints for my problem?

    Thanks, Jens
    Monday, July 09, 2007 2:34 PM

Answers

  • I would like to help but I am no expert on some of these areas (e.g. LSP/TDI/WSK). Below is according to best of my knowledge --

     

    - TDI filters are still supported in Vista

    - Only connections arriving over port 445 will bypass TDI filters (mainly for performance reasons)

    - Currently there is no WSP-like support for WSK.

     

    You may want to post your questions to Winsock/WSK related forums/newsgroups to see what other options are available for your project.

     

    Biao.W.

     

    Friday, July 13, 2007 4:26 AM

All replies

  •  

    Hi Jens,

     

    You cannot send a packet to a loopback address(127.x.x.x) from a non-loopback address. This is by design and hence the STATUS_INVALID_ADDRESS_COMPONENT error is valid.

    The solution to the problem would be to use the DHCP assigned address of the LAN interface as you have done. Is there any way this solution can work for you? Also, it would help if you can explain your scenario a little bit more to see if there is any other way you can do this.

     

    Thanks,

    anu

    Tuesday, July 10, 2007 11:40 PM
  • Hi Anu,

    the background is, that i want to redirect all TCP connections to a local proxy process.

    Anyway my problem cannot be solved with the loopback interface, since a TCP connection will not enter the stack (at least i did not see a FWPM_LAYER_ALE_AUTH_CONNECT_V4 event) when the LAN interface is unplugged. I believe there is something above WFP which checks for any available routes (or interfaces != loop back) and blocks then the TCP connection.

    To use the DHCP assigned address of the LAN interface is not a fully functional solution if you have multiple interfaces (e.g. WiFi adapter). I believe - but did not test it - that in this case a packet from a WiFi adapter can not be injected for the LAN adapter. As long as the proxy process is not bound to a specific interface i can use the source ip address as destination address.

    Thanks for your help,
    Jens
    Wednesday, July 11, 2007 8:04 AM
  • Jens,

     

    Your analysis is correct -- w/o ther presence of an interface, the tcp stack wouldn't be able to find the next-hop and hence will not attempt an connect.

     

    You may want to research into WinSock LSP or TDI filters technology for a solution. They can intercept the socket connect() call and you should be able to proxy your connection during that context.

     

    The long term goal of WFP is to be able to replace LSP/TDI, but we are not there yet.

     

    Also you may want to research into developing a NDIS miniport driver that exposes a virutal NIC to windows which will be always "connected". With that, WFP should be able to accomplish rest of what you need.

     

    Hope this helps,

    Biao.W.

    Thursday, July 12, 2007 4:12 AM
  • Hi,

    since i want redirect remote file system access, a Winsock LSP or TSP is not appropriate. A TDI filter works only up to Windows XP. For Vista you have to use WFP and a NDIS driver together, unless there is a way to implement a Network Provider for WSK which fullfills these requirements:
    - every user application and every WSK application is forced to use this Network Provider.
    - this counts also for remote filesystem access. From my experience with WXP i know, that the remote filesystem access bypasses TDI when it comes to transfer data.

    Documentation doesn't helped me with these points, maybe you can help me?

    Thanks for your efforts,

    Jens
    Thursday, July 12, 2007 6:22 AM
  • I would like to help but I am no expert on some of these areas (e.g. LSP/TDI/WSK). Below is according to best of my knowledge --

     

    - TDI filters are still supported in Vista

    - Only connections arriving over port 445 will bypass TDI filters (mainly for performance reasons)

    - Currently there is no WSP-like support for WSK.

     

    You may want to post your questions to Winsock/WSK related forums/newsgroups to see what other options are available for your project.

     

    Biao.W.

     

    Friday, July 13, 2007 4:26 AM
  • the problem is that the router to connected to broadband is not able to get the ip address of the broad band server

     

    Tuesday, November 27, 2007 11:22 AM
  • Hallo,

    i have worked on same solution. I have found a solution how to redirect a connection to loopback interface.

    I'm use NETWORK layer callback functions, with cooperation with ALE layer.

    On ALE layer i prepare redirect record, then on NETWORK layer i catch outgoing packet, modify both IP on localhost, modify destination port, in headers then REINJECT packet by FwpsInjectNetworkSendAsync0. Is not possible to inject by FwpsInjectNetworkReceiveAsync0, because packet is kicked off here. I expect that WFP checks if localhost : sourceport exist, and if not, packet is rejected.

    It delivers packet to the loopback interface (by my opinion new localhost->localhost connection is created)

    When i catch packet which goes back (from localhost:redirPort to localhost : sourceport) i modify IP and ports back, so packet looks like packet arriving from outside.

    Everything works fine, but it has big performance penalty for OUTGOING data. for example, sending lot of data OUT from application to server through the proxy degrades traffic more then 20x.

    Problem is that the call FwpsInjectNetworkSendAsync0 takes a lot of time here. The final effect in the proxy is, that data are signalized by recv() with 1460 bytes size always (Content of one packet exactly). Without redirector, i obtain so bigger blocks  of data by one call.

    Can anybody explain to me, why this method brings this degradation of data ? My code works quickly, problem is between FwpsInjectNetworkSendAsync0 and InjectCompletionFn..

    Thank you for help.

    Zdenek




    Friday, April 18, 2008 1:53 PM
  •  

    Are you handling the case of multiple packets? Sometimes NET_BUFFER_LIST contains has multiple packets and if handle a one packet at a time then it slows down your network badly.
    Wednesday, May 21, 2008 12:45 AM
  • I think this may be a good point.

     

    Zdenek, it appears that you don't have the same constraint as the original poster -- looks like in your case the network media is not unpluged and hence you get the ALE_AUTH_CONNECT callout.

     

    If that's the case, it would be better for you to intercept the packets at OUTBOUND_TRANSPORT and utilize the FwpsInjectTransportSendAsync0 api. You should have a better perf that way.

     

    Hope this helps,

    Biao.W.

     

    Wednesday, May 21, 2008 3:24 AM
  • Anupama Vasanth {MSFT] wrote:

    "You cannot send a packet to a loopback address(127.x.x.x) from a non-loopback address. This is by design and hence the STATUS_INVALID_ADDRESS_COMPONENT error is valid."

    Coming from questions [1]. which your post helped to resolve and having [2], [3] as related.

    Where have you got this info?

    I submitted this question in  [5], since the answerer was not seen on site for a year.

    Cited:  
     [1]
    The question "Windows Server 2008 - Connecting to 127.0.0.1"  http://serverfault.com/questions/170476/windows-server-2008-connecting-to-127-0-0-1/  

     [2]
    Misunderstanding MS KB article on Loopback Check security feature
    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/1d386ea9-9313-4f38-8016-8ea3af9492e1

    [3]
    http://superuser.com/questions/178187/on-disabling-loopback-check-security-feature-in-windows-xp-pro-sp3

    [4]
    http://support.microsoft.com/kb/896861/en-us
    (You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version)

    [5]
    Up-to-date decription of loopback check security feature by MS?

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ef870972-e634-407c-b4f0-be995bd5f6bf

    Saturday, August 21, 2010 7:20 PM