skb_put(): add some data to the end of the data in sk_buff

skb_put(): add some data to the end of the data in sk_buff

[Changho Choi]

[-- Attachment #1: Type: text/plain, Size: 3674 bytes --]

Hi,
I want to add or subtract 40bytes to the end of the data in sk_buff.
So I made a module to do this.
Actually, I hooked up a packet LOCAL_OUT for the outgoing packet and added data structure, sip_tag to the sk_buff like below.
I added data using skb_put().
When I install the module and run the scp to transfer some data, it starts well.
But, after it sent about 320KB, the connection is stalled and freezed.
Is there any error in my code?

I appreciate any comments.

Thanks,
Changho Choi

ps: The reception part(sip_input) is also below.

------------------------------------------------------------------------------
sip_output(unsigned int hook, struct sk_buff **pskb,
               const struct net_device *indev, const
               struct net_device *outdev, int 
               (*okfn)(struct sk_buff *))
{
 sip_tag *stag;
 struct iphdr *ip_hdr;
 int stag_len;

  ip_hdr = (*pskb)->nh.iph;  // ip header

 stag_len = sizeof(sip_tag);
 
 // new packet size check
 if (stag_len > skb_tailroom(*pskb)) {
  struct sk_buff *newskb;
  printk("...sip_output: newskb...\n");
  newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
      stag_len,
      GFP_ATOMIC);

  if (!newskb) {
   printk("error: sip_output: resize the pskb...\n");
   return 0;
  } else {
   kfree_skb(*pskb);
   *pskb = newskb;
  }
 }

 // make a room for the security tag
 stag = (sip_tag *) skb_put(*pskb, stag_len);

 // assign some values to the stag
 if(init_stag(ip_hdr, stag) == 0)
  return NF_DROP; // initialize the security tag

 // update ip header
 ip_hdr->tot_len = htons(ntohs(ip_hdr->tot_len) + stag_len);
 ip_send_check(ip_hdr); // calculate new checksum
 
 (*pskb)->nfcache |= NFC_ALTERED;
 
 return NF_ACCEPT;
}

// module install
static struct nf_hook_ops secureIP_output
= { { NULL, NULL }, sip_output,
    PF_INET, NF_IP_LOCAL_OUT,
       NF_IP_PRI_FILTER-1 };

int init_module(void)
{
 /* Register hooks */
 int ret;
 
 ret = nf_register_hook(&secureIP_output);
 if (ret < 0)
  goto cleanup_output;
 
 return ret;
 
cleanup_output:
 nf_unregister_hook(&secureIP_output);
 return 0;
}

void cleanup_module(void)
{
 nf_unregister_hook(&secureIP_output);
}

---- reception part
I removed my data using skb_trim() and update the ip packet length.

static unsigned int
sip_input(unsigned int hook, struct sk_buff **pskb,
               const struct net_device *indev, const
               struct net_device *outdev, int 
               (*okfn)(struct sk_buff *))
{
 sip_tag *stag;
 struct iphdr *ip_hdr;
 unsigned char mac[8];
 int i, stag_len;

 ip_hdr = (*pskb)->nh.iph;

 stag_len = sizeof(sip_tag);

 // get_sip_info() 
 
 stag = (sip_tag *) ((*pskb)->data + (*pskb)->len - stag_len); 

 if(calculate_mac(ip_hdr, stag, mac) == 0)
  return NF_DROP; // mac calculation failed

 // check mac value
 if(memcmp(stag->mac, mac, 8) != 0){
  return NF_DROP;
 }
 
 // remove stag
 skb_trim(*pskb, (*pskb)->len-stag_len);
 
 ip_hdr->tot_len = ip_hdr->tot_len - stag_len;
 ip_send_check(ip_hdr); // calculate new checksum
 
 (*pskb)->nfcache |= NFC_ALTERED;
 
 return NF_ACCEPT;
}

// module installation part
static struct nf_hook_ops secureIP_input
= { { NULL, NULL }, sip_input,
    PF_INET, NF_IP_LOCAL_IN,
       NF_IP_PRI_FILTER-2 };

int init_module(void)
{
 /* Register hooks */
 int ret;
 
 ret = nf_register_hook(&secureIP_input);
 if (ret < 0)
  goto cleanup_output;
 
 return ret;
 
cleanup_output:
 nf_unregister_hook(&secureIP_input);
 return 0;
}

void cleanup_module(void)
{
 nf_unregister_hook(&secureIP_input);
}

[-- Attachment #2: Type: text/html, Size: 7804 bytes --]

skb_put(): add some data to the end of the data in sk_buff

["최창호"]

Hi,
I want to add or subtract 40bytes to the end of the data in sk_buff.
So I made a module to do this.
Actually, I hooked up a packet LOCAL_OUT for the outgoing packet and added data structure, sip_tag to the sk_buff like below.
I added data using skb_put().
When I install the module and run the scp to transfer some data, it starts well.
But, after it sent about 320KB, the connection is stalled and freezed.
Is there any error in my code?
 
I appreciate any comments.
 
Thanks,
Changho Choi
 
ps: The receiver part(sip_input) is also below.
 
------------------------------------------------------------------------------
sip_output(unsigned int hook, struct sk_buff **pskb,
               const struct net_device *indev, const
               struct net_device *outdev, int 
               (*okfn)(struct sk_buff *))
{
 sip_tag *stag;
 struct iphdr *ip_hdr;
 int stag_len;

  ip_hdr = (*pskb)->nh.iph;  // ip header
 
 stag_len = sizeof(sip_tag);
 
 // new packet size check
 if (stag_len > skb_tailroom(*pskb)) {
  struct sk_buff *newskb;
  printk("...sip_output: newskb...\n");
  newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
      stag_len,
      GFP_ATOMIC);
 
  if (!newskb) {
   printk("error: sip_output: resize the pskb...\n");
   return 0;
  } else {
   kfree_skb(*pskb);
   *pskb = newskb;
  }
 }
 
 // make a room for the security tag
 stag = (sip_tag *) skb_put(*pskb, stag_len);

 // assign some values to the stag
 if(init_stag(ip_hdr, stag) == 0)
  return NF_DROP; // initialize the security tag
 
 // update ip header
 ip_hdr->tot_len = htons(ntohs(ip_hdr->tot_len) + stag_len);
 ip_send_check(ip_hdr); // calculate new checksum
 
 (*pskb)->nfcache |= NFC_ALTERED;
 
 return NF_ACCEPT;
}
 
// module install
static struct nf_hook_ops secureIP_output
= { { NULL, NULL }, sip_output,
    PF_INET, NF_IP_LOCAL_OUT,
       NF_IP_PRI_FILTER-1 };
 
int init_module(void)
{
 /* Register hooks */
 int ret;
 
 ret = nf_register_hook(&secureIP_output);
 if (ret < 0)
  goto cleanup_output;
 
 return ret;
 
cleanup_output:
 nf_unregister_hook(&secureIP_output);
 return 0;
}
 
void cleanup_module(void)
{
 nf_unregister_hook(&secureIP_output);
}
 
---- reception part
I removed my data using skb_trim() and update the ip packet length.
 
static unsigned int
sip_input(unsigned int hook, struct sk_buff **pskb,
               const struct net_device *indev, const
               struct net_device *outdev, int 
               (*okfn)(struct sk_buff *))
{
 sip_tag *stag;
 struct iphdr *ip_hdr;
 unsigned char mac[8];
 int i, stag_len;
 
 ip_hdr = (*pskb)->nh.iph;
 
 stag_len = sizeof(sip_tag);
 
 // get_sip_info() 
 
 stag = (sip_tag *) ((*pskb)->data + (*pskb)->len - stag_len); 
 
 if(calculate_mac(ip_hdr, stag, mac) == 0)
  return NF_DROP; // mac calculation failed
 
 // check mac value
 if(memcmp(stag->mac, mac, 8) != 0){
  return NF_DROP;
 }
 
 // remove stag
 skb_trim(*pskb, (*pskb)->len-stag_len);
 
 ip_hdr->tot_len = ip_hdr->tot_len - stag_len;
 ip_send_check(ip_hdr); // calculate new checksum
 
 (*pskb)->nfcache |= NFC_ALTERED;
 
 return NF_ACCEPT;
}
 
// module installation part
static struct nf_hook_ops secureIP_input
= { { NULL, NULL }, sip_input,
    PF_INET, NF_IP_LOCAL_IN,
       NF_IP_PRI_FILTER-2 };
 
int init_module(void)
{
 /* Register hooks */
 int ret;
 
 ret = nf_register_hook(&secureIP_input);
 if (ret < 0)
  goto cleanup_output;
 
 return ret;
 
cleanup_output:
 nf_unregister_hook(&secureIP_input);
 return 0;
}
 
void cleanup_module(void)
{
 nf_unregister_hook(&secureIP_input);
}

I want to find a good script to make my firewall up

[FRANCO]

[-- Attachment #1: Type: text/plain, Size: 511 bytes --]

Good morning,  
  
could they find out where I get a SCRIPT for maintaining my FIREWALL the
best configured possible and more I also hold?  
  
Thank you very much
 
 

Franco Catena
HYPERLINK "http://www.surson.com.br/"http://www.surson.com.br
tel 011-50813861
cel:78535362
NEXTEL: 55*26006*1
MSN: facdavilla@hotmail.com
ICQ: 24755602


 


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.465 / Virus Database: 263 - Release Date: 25/3/2003
 

[-- Attachment #2: Type: text/html, Size: 1267 bytes --]

RE: I want to find a good script to make my firewall up

[Rob Sterenborg]

> could they find out where I get a SCRIPT for maintaining my 
> FIREWALL the best configured possible and more I also hold?  

http://iptables-tutorial.frozentux.net/iptables-tutorial.html ?
A nice tutorial with example scripts.


Gr,
Rob

Re: I want to find a good script to make my firewall up

[Kim Jensen]

On Sunday 30 March 2003 14:25, FRANCO wrote:
> Good morning,
>
> could they find out where I get a SCRIPT for maintaining my FIREWALL the
> best configured possible and more I also hold?
>
> Thank you very much
>
Please specify your needs - there are many different ways of setting up a 
firewall, so unless we know what you wish for, then it is hard for us to 
help.

Nomatter, you can find some good guidelines for setting up your firewall in 
the netfilter documentation.

/Kim