Raw Sockets and Netfiter

Raw Sockets and Netfiter

[Ethan Dameron]

[-- Attachment #1: Type: text/plain, Size: 467 bytes --]

If I have a an IP datagram in userspace and I send it via a raw socket
created with socket(PF_INET, SOCK_RAW, IPPROTO_RAW) using the send()
system call, will this packet traverse the netfilter chains?  If it does
not traverse the firewall, how can I make it do so?

 

Thanks,

 

Ethan Dameron


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.463 / Virus Database: 262 - Release Date: 03/17/2003
 

[-- Attachment #2: Type: text/html, Size: 1898 bytes --]

Re: Raw Sockets and Netfiter

[Patrick Schaaf]

On Tue, Mar 25, 2003 at 02:06:59AM -0500, Ethan Dameron wrote:
> If I have a an IP datagram in userspace and I send it via a raw socket
> created with socket(PF_INET, SOCK_RAW, IPPROTO_RAW) using the send()
> system call, will this packet traverse the netfilter chains?

No. Raw sockets bypass the TCP/IP stack. Netfilter hooks, and
consequently iptables, sit inside the IP stack.

Another effect of the same occurrence is that, even if your iptables
rules drop packets, you can still see them with tcpdump / ethereal.

> If it does not traverse the firewall, how can I make it do so?

The same way arptables and ebtables did it for ARP and bridging:
Make a clone of iptables (e.g rawtables), kernel and userspace.
Implement the neccessary hooks in the raw socket path, and implement
a new table for each of those hooks, into your new rawtables code.

That's not a weekend project.

You MAY get away with just calling the existing iptables hook functions
from additional places (in the raw socket processing path). That may save
you from making yet another copy of the iptables code. However, I don't
know how many normal iptables modules (especially in the NAT pathes)
will be completely confused that way - consider the case where you
tcpdump, and each dumped packet then passes the hooks TWICE, once per
normal IP processing, and once for the RAW packet copy.

That's still not a weekend project.

all the best
  Patrick

Re: Raw Sockets and Netfiter

[Patrick McHardy]

Patrick Schaaf wrote:

>On Tue, Mar 25, 2003 at 02:06:59AM -0500, Ethan Dameron wrote:
>  
>
>>If I have a an IP datagram in userspace and I send it via a raw socket
>>created with socket(PF_INET, SOCK_RAW, IPPROTO_RAW) using the send()
>>system call, will this packet traverse the netfilter chains?
>>    
>>
>
>No. Raw sockets bypass the TCP/IP stack. Netfilter hooks, and
>consequently iptables, sit inside the IP stack.
>

Then what is the purpose of ip_conntrack_local:

static unsigned int ip_conntrack_local(...)
{
        /* root is playing with raw sockets. */
        if ((*pskb)->len < sizeof(struct iphdr)
            || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) {
                if (net_ratelimit())
                        printk("ipt_hook: happy cracking.\n");
                return NF_ACCEPT;
        }
        return ip_conntrack_in(hooknum, pskb, in, out, okfn);
}

Seems like it could be eliminated entirely if you're correct.

Regards,
Patrick

Re: Raw Sockets and Netfiter

[Patrick Schaaf]

> static unsigned int ip_conntrack_local(...)
> 
> Seems like it could be eliminated entirely if you're correct.

I could also be wrong. I have not looked at any concrete code,
just wrote what I thought I understood.

Put a printk() there, run the recompiled kernel, and see if you can
trigger the conditional code. If you can't, remove it, and it's up
to the core team to then explain what's really going on :)

best regards
  Patrick "lazy" Schaaf

Re: Raw Sockets and Netfiter

[Patrick McHardy]

Hi Ethan,
looks like good news:

ipt_hook: happy cracking.
ipt_hook: happy cracking.
ipt_hook: happy cracking.
ipt_tcpmss_target: bad length (10 bytes)

So your packets will traverse iptables.
Bye,
Patrick

Re: Raw Sockets and Netfiter

[David Poole]

On Tue, 2003-03-25 at 00:06, Ethan Dameron wrote:
> If I have a an IP datagram in userspace and I send it via a raw socket
> created with socket(PF_INET, SOCK_RAW, IPPROTO_RAW) using the send()
> system call, will this packet traverse the netfilter chains?  If it
> does not traverse the firewall, how can I make it do so?
> Version: 6.0.463 / Virus Database: 262 - Release Date: 03/17/2003

What are you trying to do?  Not that I have a solution, but I'm running
into the same problem.  

The DHCP client uses PF_PACKET which bypasses the firewall. 
Consequently, I can't firewall off certain machines.  I've been fiddling
with -j QUEUE and running a user-space DHCP client but the reinjected
packets are going I know not where.

Also, with PF_PACKET, the DHCP client will receive all unicast and
broadcast packets.  On a busy network and a slow system (our embedded
Linux product), the client gets flooded.


-- 
David Poole <davep@portsmith.com>
Portsmith   http://www.portsmith.com
960 Broadway Avenue, Suite 300
Boise, ID  83706
208-395-1300 x241

Re: Raw Sockets and Netfiter

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 946 bytes --]

On Tue, Mar 25, 2003 at 08:25:44AM +0100, Patrick Schaaf wrote:
> On Tue, Mar 25, 2003 at 02:06:59AM -0500, Ethan Dameron wrote:
> > If I have a an IP datagram in userspace and I send it via a raw socket
> > created with socket(PF_INET, SOCK_RAW, IPPROTO_RAW) using the send()
> > system call, will this packet traverse the netfilter chains?
> 
> No. Raw sockets bypass the TCP/IP stack. Netfilter hooks, and
> consequently iptables, sit inside the IP stack.

PF_PACKET sockets bypass the TCP/IP stack.

PF_INET/SOCK_RAW sockets still travers the TCP/IP stack.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: Raw Sockets and Netfiter

[David Poole]

> PF_PACKET sockets bypass the TCP/IP stack.

Ah.  That makes sense when I finally think about it.

I'm trying to move the DHCP (client currently but eventually server as
well) away from using PF_PACKET to something influenced by iptables
filters.  

Current attempts are using -j QUEUE to receive the packets.  I need to
be able to re-inject a packet to a different destination (from the input
table back out to the output table) back into netfilter.  

I could probably receive through netfilter and send through SOCK_RAW? At
leat that might prevent the flooding problems I'm having.


-- 
David Poole <davep@portsmith.com>
Portsmith   http://www.portsmith.com
960 Broadway Avenue, Suite 300
Boise, ID  83706
208-395-1300 x241

Raw Sockets and Netfiter

[Albert López]

I read from a post in this mailing list (2003) that raw sockets bypass 
the TCP/IP stack, so netfilter cannot manage/filter packets generated by 
raw sockets. I would like to know if this behaviour is still true.

Thanks

Albert

Re: Raw Sockets and Netfiter

[Phil Oester]

On Thu, Jan 16, 2014 at 05:12:13PM +0100, Albert López wrote:
> I read from a post in this mailing list (2003) that raw sockets
> bypass the TCP/IP stack, so netfilter cannot manage/filter packets
> generated by raw sockets. I would like to know if this behaviour is
> still true.

Yes.

Phil