Nmap Development mailing list archives

Re: nmap won't work with policy route

From: David Fifield <david () bamsoftware com>
Date: Fri, 1 Mar 2013 16:48:04 -0800

On Fri, Mar 01, 2013 at 09:19:33AM +0800, Taburiss S wrote:

    I'm trying to write a shell script to test every network interface in
one server. I have some policy routing rules like below:

#ip rule
0: from all lookup local
1:     from <IP of ppp0> look up ppp0_RT   // <-- （ppp0_RT = default via
<gateway of ppp0>）
2:   from <IP of ppp1> look up ppp1_RT   // <-- （ppp1_RT = default via
<gateway of ppp1>）
32766: from all lookup main
32767: from all lookup default

And the main routing table is shown below
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
172.16.126.229  *               255.255.255.255 UH    0      0        0 ppp1
172.16.126.240  *               255.255.255.255 UH    0      0        0 ppp0
default               *               0.0.0.0                U     0      0
       0 ppp0

Since I want to test every ppp interface, I need to use nmap -e to specify
an output interface like this:
# nmap -e ppp0 -sP 8.8.8.8
This worked well, but
# nmap -e ppp1 -sP 8.8.8.8
end up with an error:
nexthost: failed to determine route to 8.8.8.8

I find that if ppp1 is not 'default' in main routing table, even I have a
ip rule whose priority is higher than the main table, I can't use nmap -e
to force my ping packet goes out through this ppp1 interface. The only way
is to set it to the default dev in main table, but if I do that the same
problem will happen to ppp0 which can not be 'default' anymore.

In my opinion nmap should find the IP address of the interface that given
by -e , and bind a raw socket to this IP, than send ICMP packet to 8.8.8.8.
At this point my ip rules should work well, and the 'default' in main table
should do nothing with this packet. Actually, I wrote a small program like
that , and it do work well.


What version of Nmap are you using?

Newer releases of Nmap use the Netlink interface to ask the kernel for
all routing decisions, so I would expect it to work.

You can get quick feedback on Nmap's routing decisions with the
--route-dst option:

nmap -e ppp0 --route-dst 8.8.8.8
nmap -e ppp1 --route-dst 8.8.8.8

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

nmap won't work with policy route Taburiss S (Feb 28)
- Re: nmap won't work with policy route David Fifield (Mar 01)
  - Re: nmap won't work with policy route John Bond (Mar 06)
    - Re: nmap won't work with policy route John Bond (Mar 06)
    - Re: nmap won't work with policy route John Bond (Mar 06)
    - Re: nmap won't work with policy route David Fifield (Mar 07)
    - Re: nmap won't work with policy route John Bond (Mar 07)
    - Re: nmap won't work with policy route David Fifield (Mar 07)
    - Re: nmap won't work with policy route John Bond (Mar 07)
    - Re: nmap won't work with policy route John Bond (Mar 07)
    - Re: nmap won't work with policy route David Fifield (Mar 07)