Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lwip local port forwarding not working in lwip - corrected files attached (IDFGH-6825) #8451

Closed
mtnbkr88 opened this issue Feb 22, 2022 · 6 comments
Closed

lwip local port forwarding not working in lwip - corrected files attached (IDFGH-6825) #8451

mtnbkr88 opened this issue Feb 22, 2022 · 6 comments
Labels
Resolution: Done Issue is done internally Status: Done Issue is done internally

Comments

@mtnbkr88
Copy link

I needed the ability to port forward back onto the same network but the current lwip files as of ESP-IDF 4.4.0 do not support this. The attached files add this capability to lwip. I built an ESP32LocalPortForwarder app that provides a web interface to manage port forward rules using these updated lwip files (https://github.com/mtnbkr88/ESP32LocalPortForwarder). Copy the attached files (removing .txt from the name) to the these locations to enable local port forwarding:

ESP-IDF\components\lwip\lwip\src\core\ipv4\ip4.c
ESP-IDF\components\lwip\lwip\src\core\ipv4\ip4_napt.c
ESP-IDF\components\lwip\lwip\src\include\lwip\ip4_napt.h

I also had to modify opt.h and enable the below because menuconfig does not support enabling all these options:
#define IP_FORWARD 1
#define IP_NAPT 1
#define IP_FORWARD_ALLOW_TX_ON_RX_NETIF 1

Please add these changed files to future versions of lwip so local port forwarding will be available for anybody if needed.

ip4_napt.h.txt
ip4.c.txt
ip4_napt.c.txt
@espressif-bot espressif-bot added the Status: Opened Issue is new label Feb 22, 2022
@github-actions github-actions bot changed the title lwip local port forwarding not working in lwip - corrected files attached lwip local port forwarding not working in lwip - corrected files attached (IDFGH-6825) Feb 22, 2022
@0xjakob
Copy link
Contributor

0xjakob commented Feb 23, 2022

@mtnbkr88 Would you mind creating a pull request for this? Then we can easily have discussions on part of the code and the contribution will be attributed to you.

@mtnbkr88
Copy link
Author

I'm new to the git pull push stuff. Please tell me what to pull and how to do a pull request for this specific issue.

In the files I changed some debug stuff to give better info for debug. The real changes are as follows:

  1. Added one more field to napt_table in ip4-napt.c so it tracks src address/port to the to port on the port forwarder and the from port on the port forwarder to the dest address/port.
  2. In ip4.c added function ip4_forward_local which is called from ip4_input when it's determined the incoming packet is for this local interface. ip4_forward_local calls ip_napt_forward_local.
  3. In ip4_napt.c added function ip_napt_forward_local which checks napt_table to see if port forwarding info on the same network going either direction is present. If yes, the source and dest address/port are updated to forward the packet back out the same netif. If the info is not found, portmap_table is checked to see if a port forwarding rule for this local port is there. If a rule is found, complete port forwarding info is added to the napt_table and the source and dest address/port are updated to forward the packet out the same netif. If a rule is not found in portmap_table, the function returns processing back to ip4_forward_local then back to ip4_input.
  4. You already saw my comment about setting IP_FORWARD, IP_NAPT and IP_FORWARD_ALLOW_TX_ON_RX_NETIF in opt.h.

I'm happy to answer any questions you have but I will be away on a camping trip from Thursday 2/24 through Sunday 2/27 so my responses may be delayed a few days.

Thank you.

@xueyunfei998
Copy link

hi @mtnbkr88

If you just want to use the data forwarding function, you can turn on the IP_FAWARD function in menuconfig, but there is a bug in this function, and I will provide you with a patch.

@xueyunfei998
Copy link

0001-bugfix-for-Packet-forwarding-failed.txt

@mtnbkr88
Copy link
Author

As currently written in ESP-IDF 4.4.0, lwip cannot possibly forward back onto the same network (what I need) without errors. I will explain. If A is the source, B the port forwarder and C the destination, as currently written ip4_forward only modifies the destination in the packet. So a packet will be forwarded with source as A and destination as C. This is okay if the packet is going to a different network than the source. If the destination is on the same network (netif) as the source then when C receives the packet it will return directly to A. Then A will drop the packet because it does not have any known connections with C. A had a connection open to B, not C. (I verified this behavior with wireshark.) My update to lwip fixes this. If the packet is forwarded to the same network as the source, my update will have destination C return to B which will then return to A. All traffic is as expected, all connections are properly handled.

@0xjakob
Copy link
Contributor

0xjakob commented Feb 24, 2022

I'm new to the git pull push stuff. Please tell me what to pull and how to do a pull request for this specific issue.

You first need to fork the repository, then upload your code into a branch there, then you can create a pull request in IDF and specify the branch from your fork. See more in how to create a pull reaquest.

@espressif-bot espressif-bot added Resolution: NA Issue resolution is unavailable Status: Done Issue is done internally Resolution: Done Issue is done internally and removed Status: Opened Issue is new Resolution: NA Issue resolution is unavailable labels Mar 8, 2022
espressif-bot pushed a commit that referenced this issue Mar 11, 2022
@david-cermak
lwip: Security fixes; PPPoS null-deref; NAPT ip-forward
e00a689 
* Cherry-pick important fixes to 2.1.2-esp
  - CVE-2020-22283: Attacker could craft a packet that would disclose 8 bytes of some heap memory:
    - icmp6: Don't copy too much data
    - icmp6: Fix copying of chained pbuf in reply
    - icmp6: keep to the RFC and send as much as possible with icmp6 error messages
  - CVE-2020-22284: ZEP - ZigBee Encapsulation Protocol/6LoWPAN is not supported in IDF,
    the netif module (zepif.c) is not included in the build, but users can still inject
    the file into compilation process, implement IO interface and use this.
    - zepif: Copy possibly chained output pbuf properly
    - Add #define for minimum IPv6 MTU length
    - pbuf: Add pbuf_copy_partial_pbuf library function
* PPPoS: Fix null-deref when processing double break packet
  - pppos: fix in_tail null (espressif/esp-lwip@537c69d5)
  - PPP: Add test exhibiting empty packet null-deref (espressif/esp-lwip@202a07da)
* NAPT: Fix PBUF_REF type to clone the pbuf before forwarding
  - IP-FORWARD: If packet-type is PBUF_REF clone it before forwarding
  - Add NAPT unit test to exercise NAT feature for both RAM and REF pbuf types
* version: Update version numbers to match 2.1.2-esp
* Minor fixes listed below: Fix client receive KOD, NAPT fixes, restore
  dhcp_cb, sntp docs, vendor class id (disabled)

* Update submodule: espressif/esp-lwip@2195f74...76303df

Detailed description of the changes:
  - test/napt: Add unit test for IP forward with PBUF_REF (espressif/esp-lwip@76303df2)
  - napt: Fix PBUF_REF type to clone the pbuf before forwarding (espressif/esp-lwip@39068263)
  - version: Update version numbers to match 2.1.2-esp (espressif/esp-lwip@2b922919)
  - pppos: fix in_tail null (espressif/esp-lwip@537c69d5)
  - PPP: Add test exhibiting empty packet null-deref (espressif/esp-lwip@202a07da)
  - pbuf: Add pbuf_copy_partial_pbuf library function (espressif/esp-lwip@1c9cd9c1)
  - Add #define for minimum IPv6 MTU length (espressif/esp-lwip@d2dc577b)
  - zepif: Copy possibly chained output pbuf properly (espressif/esp-lwip@64ab7f2a)
  - icmp6: Don't copy too much data (espressif/esp-lwip@4a64731b)
  - icmp6: Fix copying of chained pbuf in reply (espressif/esp-lwip@7c822ff4)
  - icmp6: keep to the RFC and send as much as possible with icmp6 error messages (espressif/esp-lwip@29100ab6)
  - dns: Add API to clear dns cache (espressif/esp-lwip@ee59f77d)
  - CI: Fixed adding gitlab key (espressif/esp-lwip@5a2bdba7)
  - test case: modify test case test_tcp_new_max_num_remove_FIN_WAIT_1 (espressif/esp-lwip@6b090f7d)
  - add function for deinit lwip timers (espressif/esp-lwip@2749568f)
  - dhcp: Fix build issue that set ESP_DHCP_DISABLE_VENDOR_CLASS_IDENTIFIER to true will build fail (espressif/esp-lwip@d827dbf7)
  - Document that sntp_setservername doesn't copy the string (espressif/esp-lwip@54acdb59) #6786
  - lwip/dhcp: add 60 option for vendor class identify (espressif/esp-lwip@ae7edc2a) espressif/esp-lwip#32
  - dhcp: Restore dhcp_cb on restart after dhcp_release_and_stop() (espressif/esp-lwip@55ea9d9c) #7217
  - napt: Fix disbale IPv6 and enable NAPT will build error (espressif/esp-lwip@74cf7f9f)
  - napt: fix checksum of UDP (espressif/esp-lwip@bb63eed1)
  - sntp: Fix client receive KOD packet that make pool MEMP_SYS_TIMEOUT not be freed (espressif/esp-lwip@1c1642fe)
  - test case: add tcp state and reset test cases. (espressif/esp-lwip@67deb805)

Closes #8300
Closes #8451
espressif-bot pushed a commit that referenced this issue Apr 20, 2022
@david-cermak
lwip: Security fixes; PPPoS null-deref; NAPT ip-forward
47414ef 
* Cherry-pick important fixes to 2.1.2-esp
  - CVE-2020-22283: Attacker could craft a packet that would disclose 8 bytes of some heap memory:
    - icmp6: Don't copy too much data
    - icmp6: Fix copying of chained pbuf in reply
    - icmp6: keep to the RFC and send as much as possible with icmp6 error messages
  - CVE-2020-22284: ZEP - ZigBee Encapsulation Protocol/6LoWPAN is not supported in IDF,
    the netif module (zepif.c) is not included in the build, but users can still inject
    the file into compilation process, implement IO interface and use this.
    - zepif: Copy possibly chained output pbuf properly
    - Add #define for minimum IPv6 MTU length
    - pbuf: Add pbuf_copy_partial_pbuf library function
* PPPoS: Fix null-deref when processing double break packet
  - pppos: fix in_tail null (espressif/esp-lwip@537c69d5)
  - PPP: Add test exhibiting empty packet null-deref (espressif/esp-lwip@202a07da)
* NAPT: Fix PBUF_REF type to clone the pbuf before forwarding
  - IP-FORWARD: If packet-type is PBUF_REF clone it before forwarding
  - Add NAPT unit test to exercise NAT feature for both RAM and REF pbuf types
* version: Update version numbers to match 2.1.2-esp

* Update submodule: espressif/esp-lwip@2749568...76303df
  - test/napt: Add unit test for IP forward with PBUF_REF (espressif/esp-lwip@76303df2)
  - napt: Fix PBUF_REF type to clone the pbuf before forwarding (espressif/esp-lwip@39068263)
  - version: Update version numbers to match 2.1.2-esp (espressif/esp-lwip@2b922919)
  - pppos: fix in_tail null (espressif/esp-lwip@537c69d5)
  - PPP: Add test exhibiting empty packet null-deref (espressif/esp-lwip@202a07da)
  - pbuf: Add pbuf_copy_partial_pbuf library function (espressif/esp-lwip@1c9cd9c1)
  - Add #define for minimum IPv6 MTU length (espressif/esp-lwip@d2dc577b)
  - zepif: Copy possibly chained output pbuf properly (espressif/esp-lwip@64ab7f2a)
  - icmp6: Don't copy too much data (espressif/esp-lwip@4a64731b)
  - icmp6: Fix copying of chained pbuf in reply (espressif/esp-lwip@7c822ff4)
  - icmp6: keep to the RFC and send as much as possible with icmp6 error messages (espressif/esp-lwip@29100ab6)
  - dns: Add API to clear dns cache (espressif/esp-lwip@ee59f77d)
  - CI: Fixed adding gitlab key (espressif/esp-lwip@5a2bdba7)
  - test case: modify test case test_tcp_new_max_num_remove_FIN_WAIT_1 (espressif/esp-lwip@6b090f7d)

Closes #8300
Closes #8451
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Resolution: Done Issue is done internally Status: Done Issue is done internally
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@0xjakob @mtnbkr88 @xueyunfei998 @espressif-bot