Reinjecting packets using libipq

Reinjecting packets using libipq

[aksingh]

hi

 when I use ip_set_verdict to reinject a packet into the kernel from user
space(suppose the verdict is NF_ACCEPT), what happens ...
1) does the packet get reinjected at the PRE_ROUTING phase ?
2) If so can I be sure that the packet doesnt get caught at the same hook
which first queued it to the user space ?

thanks
Amit

Re: Reinjecting packets using libipq

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 858 bytes --]


Hi Amit,

On Tue, Apr 20, 2004 at 01:26:34PM +0530, aksingh@hss.hns.com told us:
> 
> 
> 
> 
> hi
> 
>  when I use ip_set_verdict to reinject a packet into the kernel from user
> space(suppose the verdict is NF_ACCEPT), what happens ...
> 1) does the packet get reinjected at the PRE_ROUTING phase ?
> 2) If so can I be sure that the packet doesnt get caught at the same hook
> which first queued it to the user space ?

The packet gets reinjected where it was taken to user space. E.g. when
you have a chain with 5 rules and the packet is taken to user space
at rule #3 it will continue traversal in the very same chain at rule #4.

> 
> thanks
> Amit
> 


HTH

Sven

-- 
Linux zion 2.6.6-rc1 #1 Sat Apr 17 11:50:12 CEST 2004 i686 athlon i386 GNU/Linux
 10:38:14  up 2 days, 17:35,  1 user,  load average: 0.08, 0.05, 0.01

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Reinjecting packets using libipq

[aksingh]

[-- Attachment #1: Type: text/plain, Size: 3053 bytes --]






---------------------- Forwarded by Amit Kumar Singh/HSS on 04/20/2004
02:41 PM ---------------------------


Amit Kumar Singh
04/20/2004 02:25 PM

To:    Sven Schuster <schuster.sven@gmx.de>
cc:

Subject:    Re: Reinjecting packets using libipq  (Document link: Amit
       Kumar Singh)

Hi Sven,

   thanks for the reply, i wll be a bit more specific with my question this
time
   suppose I am using netfilter hooks, and not iptables ---

   my PRE_ROUTING hook returns NF_QUEUE and the packet goes to the user
   space, my user space program plays with the packet and then calls
   ip_set_verdict with a verdict of NF_ACCEPT, in this case the packet
   would continue its journey in the kernel from after the PRE_ROUTING hook
   or would it again get caught by the PRE_ROUTING hook ?
   Also, I had another doubt, can we use libpq to reinject absolutely new
   packets into the kernel at the ip level and make sure that they dont get
   caught by our registered netfilter hooks ? .. or if we cannot use libpq
   then is someother way available (on the same system where we have the
   PRE_ROUTING netfilter hook, we want to bypass this hook for certain
   packets). The newly injected packets cld either be outbound(going to the
   wire) or inbound( they after going to ip will have to go up the stack to
   tcp and all)

thanks
Amit




Sven Schuster <schuster.sven@gmx.de> on 04/20/2004 02:11:23 PM

To:    Amit Kumar Singh/HSS@HSS
cc:    netfilter@lists.netfilter.org

Subject:    Re: Reinjecting packets using libipq



Hi Amit,

On Tue, Apr 20, 2004 at 01:26:34PM +0530, aksingh@hss.hns.com told us:
>
>
>
>
> hi
>
>  when I use ip_set_verdict to reinject a packet into the kernel from user
> space(suppose the verdict is NF_ACCEPT), what happens ...
> 1) does the packet get reinjected at the PRE_ROUTING phase ?
> 2) If so can I be sure that the packet doesnt get caught at the same hook
> which first queued it to the user space ?

The packet gets reinjected where it was taken to user space. E.g. when
you have a chain with 5 rules and the packet is taken to user space
at rule #3 it will continue traversal in the very same chain at rule #4.

>
> thanks
> Amit
>


HTH

Sven

--
Linux zion 2.6.6-rc1 #1 Sat Apr 17 11:50:12 CEST 2004 i686 athlon i386
GNU/Linux
  10:38:14  up 2 days, 17:35,  1 user,  load average: 0.08, 0.05, 0.01






"DISCLAIMER: This message is proprietary to Hughes Software Systems Limited
(HSS) and is intended solely for the use of the individual to whom it is
addressed. It may contain  privileged or confidential information and
should not be circulated or used for any purpose other than for what it is
intended. If you have received this message in error, please notify the
originator immediately. If you are not the intended recipient, you are
notified that you are strictly prohibited from using, copying, altering, or
disclosing the contents of this message. HSS accepts no responsibility for
loss or damage arising from the use of the information transmitted by this
email including damage from virus."

[-- Attachment #2: C.DTF --]
[-- Type: application/octet-stream, Size: 198 bytes --]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAhOIzo4FAdB2PneQRAn5ZAJ9NnDhuLgo3guXmOFq2l+//EFxupwCfah6a
18lI0ZGI3UtXjc3dupY1g08=
=pp/R
-----END PGP SIGNATURE-----

Re: Reinjecting packets using libipq

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 2185 bytes --]


Hi again,

On Tue, Apr 20, 2004 at 02:25:19PM +0530, aksingh@hss.hns.com told us:
> 
> Hi Sven,
> 
>    thanks for the reply, i wll be a bit more specific with my question this
> time
>    suppose I am using netfilter hooks, and not iptables ---
> 
>    my PRE_ROUTING hook returns NF_QUEUE and the packet goes to the user
>    space, my user space program plays with the packet and then calls
>    ip_set_verdict with a verdict of NF_ACCEPT, in this case the packet
>    would continue its journey in the kernel from after the PRE_ROUTING hook
>    or would it again get caught by the PRE_ROUTING hook ?

Well, like I said, when packets are reinjected (by nf_reinject) they 
continue traversal at the very next rule in your chain. When there's 
no rule left, the traversal of this chain should end. (well that's
what I read from the kernel source, so please anybody correct if I'm
wrong :)

>    Also, I had another doubt, can we use libpq to reinject absolutely new
>    packets into the kernel at the ip level and make sure that they dont get
>    caught by our registered netfilter hooks ? .. or if we cannot use libpq
>    then is someother way available (on the same system where we have the
>    PRE_ROUTING netfilter hook, we want to bypass this hook for certain
>    packets). The newly injected packets cld either be outbound(going to the
>    wire) or inbound( they after going to ip will have to go up the stack to
>    tcp and all)

I recently read your new mail at the netfilter mailing list about 
(re)injecting new packets from userspace, but actually I don't think
that this would work (or at least it would be quite some work to
do), as you'd also have to build a completely new skb in your 
function which would call nf_reinject. Anyone else with more
knowledge on this one??

Another way of injecting packets to the kernel might be packet sockets,
don't know if that would be the right one for you. see man 7 packet


HTH

Sven

> 
> thanks
> Amit
> 


-- 
Linux zion 2.6.6-rc1 #1 Sat Apr 17 11:50:12 CEST 2004 i686 athlon i386 GNU/Linux
 12:17:13  up 2 days, 19:14,  1 user,  load average: 4.20, 4.08, 2.82

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Reinjecting packets using libipq

[Jee J.Z.]

Hi,

You can have a look at 'libnet' for injecting a new packet. I think it's
good for packet construction. But I am not sure whether the newly generated
packet can bypass a certain hook or not at this time.

Jee

>    Also, I had another doubt, can we use libpq to reinject absolutely new
>    packets into the kernel at the ip level and make sure that they dont
get
>    caught by our registered netfilter hooks ? .. or if we cannot use libpq
>    then is someother way available (on the same system where we have the
>    PRE_ROUTING netfilter hook, we want to bypass this hook for certain
>    packets). The newly injected packets cld either be outbound(going to
the
>    wire) or inbound( they after going to ip will have to go up the stack
to
>    tcp and all)

I recently read your new mail at the netfilter mailing list about
(re)injecting new packets from userspace, but actually I don't think
that this would work (or at least it would be quite some work to
do), as you'd also have to build a completely new skb in your
function which would call nf_reinject. Anyone else with more
knowledge on this one??

Another way of injecting packets to the kernel might be packet sockets,
don't know if that would be the right one for you. see man 7 packet


HTH

Sven

>
> thanks
> Amit
>


-- 
Linux zion 2.6.6-rc1 #1 Sat Apr 17 11:50:12 CEST 2004 i686 athlon i386
GNU/Linux
 12:17:13  up 2 days, 19:14,  1 user,  load average: 4.20, 4.08, 2.82

Re: Reinjecting packets using libipq

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 747 bytes --]


Howdy Jee,

On Tue, Apr 20, 2004 at 02:13:16PM +0100, Jee J.Z. told us:
> Hi,
> 
> You can have a look at 'libnet' for injecting a new packet. I think it's
> good for packet construction. But I am not sure whether the newly generated
> packet can bypass a certain hook or not at this time.

I think those packets would traverse the hooks as it is completely new
injected into the networking stack. But it would probably be the same 
with packet sockets (btw. maybe libnet uses packet socket and is just
a comfortable way for building the packets)

Sven

> 
> Jee
> 

-- 
Linux zion 2.6.6-rc1 #1 Sat Apr 17 11:50:12 CEST 2004 i686 athlon i386 GNU/Linux
 15:23:25  up 2 days, 22:21,  1 user,  load average: 0.00, 0.02, 0.00

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Reinjecting packets using libipq

[Michelle Konzack]

[-- Attachment #1: Type: text/plain, Size: 114 bytes --]

Hello aksingh@hss.hns.com, 

why do you sent the gnupg-signature as application/octet-stream ?

Michelle



[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]