[Bridge] Modifying All Packets passing through the bridge!

[Bridge] Modifying All Packets passing through the bridge!

[Fahim Akhter]

[-- Attachment #1: Type: text/plain, Size: 1297 bytes --]


Hi Everyone,
 
I am currently working on a Ethernet Link Encryptor (so its called). The concept is to have two Subnetworks connected together using two bridges and the middle lays the internet connection or another network. The bridge is meant for encryption. The ecryption module and ready and working ( independantly ) , if one bridge is set to crypto the other is supposed to turn on automatically. 
 
In crypto mode you only accept packet modified by the other bridge the rest of the packets ( rest of the LANS/INTERNET) are supposed to be dropped. In order to acheive that , I have to modify all the packets passing through the bridge so the other bridge is able to recognise it. 
 
I was modifying the packets in net/bridge/br_forward.c should_deliver() but on the other end I only received ARP packets as modified. Than I switched over to net/bridge/br_input.c br_handle_frame() but encountring the same problem. And in the kernel log only a few packets appear. ( dmesg , I'm printing a message )
 
I need to Modify all packets passing through the bridge ( in kernel ) . Any Ideas ? 
 
Thanks,
Fahim Akhter
_________________________________________________________________
Discover the new Windows Vista
http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE

[-- Attachment #2: Type: text/html, Size: 1569 bytes --]

Re: [Bridge] Modifying All Packets passing through the bridge!

[Srinivas M.A.]

You could probably use the solution that was given to an earlier
question on this list (Bridge with a tweak...). The message is
archived at https://lists.linux-foundation.org/pipermail/bridge/2008-October/006074.html
.

On Sat, Nov 8, 2008 at 4:50 PM, Fahim Akhter <akhter.fahim@hotmail.com> wrote:
> Hi Everyone,
>
> I am currently working on a Ethernet Link Encryptor (so its called). The
> concept is to have two Subnetworks connected together using two bridges and
> the middle lays the internet connection or another network. The bridge is
> meant for encryption. The ecryption module and ready and working (
> independantly ) , if one bridge is set to crypto the other is supposed to
> turn on automatically.
>
> In crypto mode you only accept packet modified by the other bridge the rest
> of the packets ( rest of the LANS/INTERNET) are supposed to be dropped. In
> order to acheive that , I have to modify all the packets passing through the
> bridge so the other bridge is able to recognise it.
>
> I was modifying the packets in net/bridge/br_forward.c should_deliver() but
> on the other end I only received ARP packets as modified. Than I switched
> over to net/bridge/br_input.c br_handle_frame() but encountring the same
> problem. And in the kernel log only a few packets appear. ( dmesg , I'm
> printing a message )
>
> I need to Modify all packets passing through the bridge ( in kernel ) . Any
> Ideas ?
>
> Thanks,
> Fahim Akhter
>
> ________________________________
> Discover the new Windows Vista Learn more!
> _______________________________________________
> Bridge mailing list
> Bridge@lists.linux-foundation.org
> https://lists.linux-foundation.org/mailman/listinfo/bridge
>

Re: [Bridge] Modifying All Packets passing through the bridge!

[Fahim Akhter]

[-- Attachment #1: Type: text/plain, Size: 2517 bytes --]


The Link https://lists.linux-foundation.org/pipermail/bridge/2008-October/006074.html , is about capturing packets and sending to user space. Speed is important in my current scenario. Is there anyway I can do everything in kernel specially by hacking or tweaking the already kernel space. Instead of socket programming and capturing packets at ethernet?> Date: Sun, 9 Nov 2008 00:14:21 +0530> From: srinivas.aji@gmail.com> To: akhter.fahim@hotmail.com> Subject: Re: [Bridge] Modifying All Packets passing through the bridge!> CC: bridge@lists.linux-foundation.org> > You could probably use the solution that was given to an earlier> question on this list (Bridge with a tweak...). The message is> archived at https://lists.linux-foundation.org/pipermail/bridge/2008-October/006074.html> .> > On Sat, Nov 8, 2008 at 4:50 PM, Fahim Akhter <akhter.fahim@hotmail.com> wrote:> > Hi Everyone,> >> > I am currently working on a Ethernet Link Encryptor (so its called). The> > concept is to have two Subnetworks connected together using two bridges and> > the middle lays the internet connection or another network. The bridge is> > meant for encryption. The ecryption module and ready and working (> > independantly ) , if one bridge is set to crypto the other is supposed to> > turn on automatically.> >> > In crypto mode you only accept packet modified by the other bridge the rest> > of the packets ( rest of the LANS/INTERNET) are supposed to be dropped. In> > order to acheive that , I have to modify all the packets passing through the> > bridge so the other bridge is able to recognise it.> >> > I was modifying the packets in net/bridge/br_forward.c should_deliver() but> > on the other end I only received ARP packets as modified. Than I switched> > over to net/bridge/br_input.c br_handle_frame() but encountring the same> > problem. And in the kernel log only a few packets appear. ( dmesg , I'm> > printing a message )> >> > I need to Modify all packets passing through the bridge ( in kernel ) . Any> > Ideas ?> >> > Thanks,> > Fahim Akhter> >> > ________________________________> > Discover the new Windows Vista Learn more!> > _______________________________________________> > Bridge mailing list> > Bridge@lists.linux-foundation.org> > https://lists.linux-foundation.org/mailman/listinfo/bridge> >
_________________________________________________________________
Connect to the next generation of MSN Messenger 
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline

[-- Attachment #2: Type: text/html, Size: 3211 bytes --]

Re: [Bridge] Modifying All Packets passing through the bridge!

[Srinivas M.A.]

On Mon, Nov 10, 2008 at 11:57 AM, Fahim Akhter <akhter.fahim@hotmail.com> wrote:
> The Link
> https://lists.linux-foundation.org/pipermail/bridge/2008-October/006074.html
> , is about capturing packets and sending to user space. Speed is important
> in my current scenario. Is there anyway I can do everything in kernel
> specially by hacking or tweaking the already kernel space. Instead of socket
> programming and capturing packets at ethernet?

That message also talks about the case where userspace will not give
you enough performance. The thing to do then would be to write a
network driver which sits on top of a real network device and
processes the packets before passing it on in either direction. Look
for the vlan and bonding drivers for examples. Or maybe you could use
the netfilter hooks in bridging, if your use of this encrypted link is
restricted to being between bridges.

Re: [Bridge] Modifying All Packets passing through the bridge!

[Fahim Akhter]

[-- Attachment #1: Type: text/plain, Size: 2392 bytes --]


Thanks a lot for the quick replies. 
 
I tried doing it with Bridging Hooks. Rather in the Bridge. I wrote a script with was used to modify the packets if not already modified which was placed in /net/bridge/br_forward.c  br_forward() and the packets were listened and encrypted in /net/bridge/br_forward.c should_deliver(). The enmcryption keys and status were travelling fine. But upon analyzing the packet. On the receiving end using a Windows Based packet Analyzer. I got to know that only ARP broadcast packets were being modified.
 
I found an old code which used kernel 2.4 used for encryption. The encryption was done in /net/bridge/br_input.c br_handle_frame().  I did all the usual stuff there but still now effect its still only modifying the ARP packets.
 
The ethernets are running in promiscous mode, the settings are default and the bridge works fine. Except for the fact it doesn't encrypt. 
 
It's taken me a while to get to this point. This being my first linux project. Hope I get a solution which takes me forward from this instead of starting from the start...> Date: Mon, 10 Nov 2008 15:58:05 +0530> From: srinivas.aji@gmail.com> To: akhter.fahim@hotmail.com> Subject: Re: [Bridge] Modifying All Packets passing through the bridge!> CC: bridge@lists.linux-foundation.org> > On Mon, Nov 10, 2008 at 11:57 AM, Fahim Akhter <akhter.fahim@hotmail.com> wrote:> > The Link> > https://lists.linux-foundation.org/pipermail/bridge/2008-October/006074.html> > , is about capturing packets and sending to user space. Speed is important> > in my current scenario. Is there anyway I can do everything in kernel> > specially by hacking or tweaking the already kernel space. Instead of socket> > programming and capturing packets at ethernet?> > That message also talks about the case where userspace will not give> you enough performance. The thing to do then would be to write a> network driver which sits on top of a real network device and> processes the packets before passing it on in either direction. Look> for the vlan and bonding drivers for examples. Or maybe you could use> the netfilter hooks in bridging, if your use of this encrypted link is> restricted to being between bridges.
_________________________________________________________________
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE

[-- Attachment #2: Type: text/html, Size: 2815 bytes --]

Re: [Bridge] Modifying All Packets passing through the bridge!

[Stephen Hemminger]

On Mon, 10 Nov 2008 17:02:34 +0500
Fahim Akhter <akhter.fahim@hotmail.com> wrote:

> 
> Thanks a lot for the quick replies. 
>  
> I tried doing it with Bridging Hooks. Rather in the Bridge. I wrote a script with was used to modify the packets if not already modified which was placed in /net/bridge/br_forward.c  br_forward() and the packets were listened and encrypted in /net/bridge/br_forward.c should_deliver(). The enmcryption keys and status were travelling fine. But upon analyzing the packet. On the receiving end using a Windows Based packet Analyzer. I got to know that only ARP broadcast packets were being modified.
>  
> I found an old code which used kernel 2.4 used for encryption. The encryption was done in /net/bridge/br_input.c br_handle_frame().  I did all the usual stuff there but still now effect its still only modifying the ARP packets.
>  
> The ethernets are running in promiscous mode, the settings are default and the bridge works fine. Except for the fact it doesn't encrypt. 
>  
> It's taken me a while to get to this point. This being my first linux project. Hope I get a solution which takes me forward from this instead of starting from the start...> Date: Mon, 10 Nov 2008 15:58:05 +0530> From: srinivas.aji@gmail.com> To: akhter.fahim@hotmail.com> Subject: Re: [Bridge] Modifying All Packets passing through the bridge!> CC: bridge@lists.linux-foundation.org> > On Mon, Nov 10, 2008 at 11:57 AM, Fahim Akhter <akhter.fahim@hotmail.com> wrote:> > The Link> > https://lists.linux-foundation.org/pipermail/bridge/2008-October/006074.html> > , is about capturing packets and sending to user space. Speed is important> > in my current scenario. Is there anyway I can do everything in kernel> > specially by hacking or tweaking the already kernel space. Instead of socket> > programming and capturing packets at ethernet?> > That message also talks about the case where userspace will not give> you enough performance. The thing to do then would be to write a> network d
 river which sits on top of a real network device and> processes the packets before passing it on in either direction. Look> for the vlan and bonding drivers for examples. Or maybe you could use> the netfilter hooks in bridging, if your use of this encrypted link is> restricted to being between bridges.
> _________________________________________________________________
> Explore the seven wonders of the world
> http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE


Use ebtables, and write a netfilter module to do what you want.
There is no reason to mess wit the bridging infrastructure to do this.

Netfilter is the way to do all the kinds of analysis, filtering, and packet
mangling you might want.

Re: [Bridge] Modifying All Packets passing through the bridge!

[Fahim Akhter]

[-- Attachment #1: Type: text/plain, Size: 3378 bytes --]


But like any Ideas on why do I always see only ARP packets. Not all Packets ? And do netfilters allow you to actually modify the incoming packet ? and all packets ( not only ARP packets ) pass through netfilters?> Date: Mon, 10 Nov 2008 08:35:01 -0800> From: shemminger@vyatta.com> To: akhter.fahim@hotmail.com> CC: srinivas.aji@gmail.com; bridge@lists.linux-foundation.org> Subject: Re: [Bridge] Modifying All Packets passing through the bridge!> > On Mon, 10 Nov 2008 17:02:34 +0500> Fahim Akhter <akhter.fahim@hotmail.com> wrote:> > > > > Thanks a lot for the quick replies. > > > > I tried doing it with Bridging Hooks. Rather in the Bridge. I wrote a script with was used to modify the packets if not already modified which was placed in /net/bridge/br_forward.c br_forward() and the packets were listened and encrypted in /net/bridge/br_forward.c should_deliver(). The enmcryption keys and status were travelling fine. But upon analyzing the packet. On the receiving end using a Windows Based packet Analyzer. I got to know that only ARP broadcast packets were being modified.> > > > I found an old code which used kernel 2.4 used for encryption. The encryption was done in /net/bridge/br_input.c br_handle_frame(). I did all the usual stuff there but still now effect its still only modifying the ARP packets.> > > > The ethernets are running in promiscous mode, the settings are default and the bridge works fine. Except for the fact it doesn't encrypt. > > > > It's taken me a while to get to this point. This being my first linux project. Hope I get a solution which takes me forward from this instead of starting from the start...> Date: Mon, 10 Nov 2008 15:58:05 +0530> From: srinivas.aji@gmail.com> To: akhter.fahim@hotmail.com> Subject: Re: [Bridge] Modifying All Packets passing through the bridge!> CC: bridge@lists.linux-foundation.org> > On Mon, Nov 10, 2008 at 11:57 AM, Fahim Akhter <akhter.fahim@hotmail.com> wrote:> > The Link> > https://lists.linux-foundation.org/pipermail/bridge/2008-October/006074.html> > , is about capturing packets and sending to user space. Speed is important> > in my current scenario. Is there anyway I can do everything in kernel> > specially by hacking or tweaking the already kernel space. Instead of socket> > programming and capturing packets at ethernet?> > That message also talks about the case where userspace will not give> you enough performance. The thing to do then would be to write a> network d> river which sits on top of a real network device and> processes the packets before passing it on in either direction. Look> for the vlan and bonding drivers for examples. Or maybe you could use> the netfilter hooks in bridging, if your use of this encrypted link is> restricted to being between bridges.> > _________________________________________________________________> > Explore the seven wonders of the world> > http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE> > > Use ebtables, and write a netfilter module to do what you want.> There is no reason to mess wit the bridging infrastructure to do this.> > Netfilter is the way to do all the kinds of analysis, filtering, and packet> mangling you might want.
_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx

[-- Attachment #2: Type: text/html, Size: 3904 bytes --]

Re: [Bridge] Modifying All Packets passing through the bridge!

[Fahim Akhter]

[-- Attachment #1: Type: text/plain, Size: 3349 bytes --]


P.S according to the little knowledge I have netfilters decide the fate of the packet by looking at the header not the data, but I need the data to decide what to do with the packet.> Date: Mon, 10 Nov 2008 08:35:01 -0800> From: shemminger@vyatta.com> To: akhter.fahim@hotmail.com> CC: srinivas.aji@gmail.com; bridge@lists.linux-foundation.org> Subject: Re: [Bridge] Modifying All Packets passing through the bridge!> > On Mon, 10 Nov 2008 17:02:34 +0500> Fahim Akhter <akhter.fahim@hotmail.com> wrote:> > > > > Thanks a lot for the quick replies. > > > > I tried doing it with Bridging Hooks. Rather in the Bridge. I wrote a script with was used to modify the packets if not already modified which was placed in /net/bridge/br_forward.c br_forward() and the packets were listened and encrypted in /net/bridge/br_forward.c should_deliver(). The enmcryption keys and status were travelling fine. But upon analyzing the packet. On the receiving end using a Windows Based packet Analyzer. I got to know that only ARP broadcast packets were being modified.> > > > I found an old code which used kernel 2.4 used for encryption. The encryption was done in /net/bridge/br_input.c br_handle_frame(). I did all the usual stuff there but still now effect its still only modifying the ARP packets.> > > > The ethernets are running in promiscous mode, the settings are default and the bridge works fine. Except for the fact it doesn't encrypt. > > > > It's taken me a while to get to this point. This being my first linux project. Hope I get a solution which takes me forward from this instead of starting from the start...> Date: Mon, 10 Nov 2008 15:58:05 +0530> From: srinivas.aji@gmail.com> To: akhter.fahim@hotmail.com> Subject: Re: [Bridge] Modifying All Packets passing through the bridge!> CC: bridge@lists.linux-foundation.org> > On Mon, Nov 10, 2008 at 11:57 AM, Fahim Akhter <akhter.fahim@hotmail.com> wrote:> > The Link> > https://lists.linux-foundation.org/pipermail/bridge/2008-October/006074.html> > , is about capturing packets and sending to user space. Speed is important> > in my current scenario. Is there anyway I can do everything in kernel> > specially by hacking or tweaking the already kernel space. Instead of socket> > programming and capturing packets at ethernet?> > That message also talks about the case where userspace will not give> you enough performance. The thing to do then would be to write a> network d> river which sits on top of a real network device and> processes the packets before passing it on in either direction. Look> for the vlan and bonding drivers for examples. Or maybe you could use> the netfilter hooks in bridging, if your use of this encrypted link is> restricted to being between bridges.> > _________________________________________________________________> > Explore the seven wonders of the world> > http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE> > > Use ebtables, and write a netfilter module to do what you want.> There is no reason to mess wit the bridging infrastructure to do this.> > Netfilter is the way to do all the kinds of analysis, filtering, and packet> mangling you might want.
_________________________________________________________________
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE

[-- Attachment #2: Type: text/html, Size: 3880 bytes --]

Re: [Bridge] Modifying All Packets passing through the bridge!

[Stephen Hemminger]

On Tue, 11 Nov 2008 12:16:34 +0500
Fahim Akhter <akhter.fahim@hotmail.com> wrote:

> 
> P.S according to the little knowledge I have netfilters decide the fate of the packet by looking at the header not the data, but I need the data to decide what to do with the packet.

Netfilter modules can see the whole packet 

Re: [Bridge] Modifying All Packets passing through the bridge!

[Fahim Akhter]

[-- Attachment #1: Type: text/plain, Size: 1119 bytes --]


Thanks a lot for your kind and generous help. So the final point is I use netfilters for it :)
 
When I was doing the encryption through the bridge, I used to set the status (crypto/plain) master/slave through bridge control. But since I won't have the back end now instead netfilters. Is there any way to keep the status updated ?
 
thanks again!> Date: Tue, 11 Nov 2008 09:11:05 -0800> From: shemminger@vyatta.com> To: akhter.fahim@hotmail.com> CC: srinivas.aji@gmail.com; bridge@lists.linux-foundation.org> Subject: Re: [Bridge] Modifying All Packets passing through the bridge!> > On Tue, 11 Nov 2008 12:16:34 +0500> Fahim Akhter <akhter.fahim@hotmail.com> wrote:> > > > > P.S according to the little knowledge I have netfilters decide the fate of the packet by looking at the header not the data, but I need the data to decide what to do with the packet.> > Netfilter modules can see the whole packet 
_________________________________________________________________
Connect to the next generation of MSN Messenger 
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline

[-- Attachment #2: Type: text/html, Size: 1435 bytes --]