xt_TPROXY does not function properly under ddwrt (/linux 4.4) when used with IPv6

After digging the issue for about two days, it looks like to me that it’s caused by a bug in ipv6.ko.

Unfortunately the rootfs is readonly on ddwrt, thus patching ipv6.ko is not a way for me to go.

The reason xt_TPROXY does not work is that ipv6.ko does not mark the newly accepted socket as no_srccheck. no_srccheck is used to mark a connection as “transparent”, and xt_TPROXY only redirects packets on these “transparent” connections. As ipv6.ko failes to mark the connection as “transparent”, xt_TPROXY drops the subsequent packets, including ACK from the remote side to our SYN/ACK.

As the ACK from remote side is dropped, the connection is never established from the router’s perspective, and stays in SYN_RECV state forever. Although the connection is seen as ESTABLISHED by the remote side once ACK is sent.

After trying and failing to replace ddwrt’s own ipv6.ko in startup commands with mount -o bind, I worked around the bug in xt_TPROXY.ko by initializing no_srcheck myself, as follows.

(Since tabs are converted to spaces by the editor, the patch below might not apply cleanly. I also attached the patch here, which should apply without errors.)

Leave a Reply

Your email address will not be published. Required fields are marked *