locked
Re-injected packet in IP FORWARD layer incorrectly gets NATed RRS feed

  • Question

  • So I wrote a callout in IPForward layer in Windows 2008 server that blocks all packets and in reponse to a new TCP-SYN packet sends the TCP-RST packet. I am encountering the following problem.
     
    (previous thread on this topic:  http://social.msdn.microsoft.com/Forums/en/wfp/thread/56af97f7-eb77-4522-b4bc-7d4f7fae9b88 )

    - The server has filter/callout to block all traffic from a private subnet to Internet
    - The NAT is enabled on the server (Windows 2008) for all internet bound traffic from the private subnet
    - I capture TCP-SYN on the IPFORWARD layer in the server from private subnet and re-inject TCP-RST at the same layer. I swap source/destination addresses. So if a TCP-SYN initiates from the private subnet, it immediately gets TCP-RST.
    - The problem is that re-injected packet get NATed. i.e if TCP-SYN had source/destination as A/B, the TCP-RST should have B/A where A is a private subnet address (192.168.x.y), B is routable IP address. But what I see is that TCP-RST received by the originator of the TCP-SYN has address D/A where D is the Server Address due to NAT. Port is also changed.

    I use FwpsInjectForwardAsync0 function to inject TCP-RST in the forward path. I have created a new sublayer.

    Not sure why NAT comes to picture on a packet that is routed to a private subnet in the forward-layer

    Thanks for your help.


    Sunday, October 4, 2009 7:19 PM

Answers

  • can you try FwpsInjectNetworkReceiveAsync0 instead of FwpsInjectForwardAsync0?

    Thanks,
    Biao.W.
    Wednesday, October 28, 2009 1:48 AM

All replies

  • Looks like no-one care to reply to this question.
    Tuesday, October 27, 2009 2:19 AM
  • can you try FwpsInjectNetworkReceiveAsync0 instead of FwpsInjectForwardAsync0?

    Thanks,
    Biao.W.
    Wednesday, October 28, 2009 1:48 AM