How to get Linux accept packets destined to non-local addresses?

Question

I have a scenario where our Linux running box has to receive packets destined to non-local addresses. eg I don't have 1::1 configured on any of my box's interfaces, but I want to have packets destined to it received. I have got the packets reaching ip6_rcv_finish() .

Here ip6_input_route() returns a dst_entry pointing to discard function. If I add 1::1 to one of the interfaces, I see ip6_input_route() returns dst_entry wtih ip6_input() and the packet is received by the app through the socket. Is there a way to achieve this without having to add the address explicitly?

I am using IP_BINDTODEVICE and IP_TRANSPARENT options. These options let me bind the socket to 1::1 even though the address is not configured on any interface.

Answer 1

如果将邻居路由器/主机配置为到达目的地1 :: 1的路由，以退出您所连接的接口...它将到达您。

Answer 2

The IP_TRANSPARENT setting uses TProxy, which is documented here . The tricky part seems to be getting the packets sent to the interface the socket is bound to. Adapting the instructions in the documentation for IPv6, you should do the following:

# Mark packets whose destination IPs match a local socket
ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT

# Configure policy routing to allow marked packets
ip -6 rule add fwmark 1 lookup 100
ip -6 route add local default dev eth1 table 100

Note that eth1 in the route was the interface my socket was bound to. You may have to play around with these settings to get it to work correctly. See here for more info.

I tested this in a two-box Vagrant environment and was able to successfully perform a TCP handshake with a socket bound to a bogus IPv6 address.