Inbound packet buffering

Inbound packet buffering

[Doug SC]

Good Morning.

I have a kernel driver which has registered for
inbound packets.

nf_register_hook(...NF_IP_PRE_ROUTING...)

I am looking to take action on certain UDP ports on
packets which may exceed MTU.  I see the fragmented
packets at this hook and since I can't be certain of
the order of receipt I need to buffer packets until I
receive the fragment which contains the ports.

Once I can see the port I may want to send all the
packets I have buffered plus the one that allowed me
to make the decision.

I have looked around and thought that the
ip_local_deliver function in ip_input.c looked
promissing but it does not appear to be an exported
symbol.

Any info or pointers to existing code would be
appreciated.

Thanks

__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

Re: Inbound packet buffering

[Pablo Neira]

Hi doug!

Doug SC wrote:

>Good Morning.
>
>I have a kernel driver which has registered for
>inbound packets.
>
>nf_register_hook(...NF_IP_PRE_ROUTING...)
>
>I am looking to take action on certain UDP ports on
>packets which may exceed MTU.  I see the fragmented
>packets at this hook and since I can't be certain of
>the order of receipt I need to buffer packets until I
>receive the fragment which contains the ports.
>  
>
If you understood well, you don't want to work with fragmented packets 
anymore or you look for an easy way to handle them, do you?

I have two ideas:

a) load the ip_conntrack module for connection tracking, it gathers all 
the fragments in the NF_IP_PRE_ROUTING hook and fragment them again in 
the NF_IP_POST_ROUTING. So you could register your hook in the 
NF_IP_FORWARD hook instead of  the NF_IP_PRE_ROUTING hook and you won't 
be working with fragmented packets anymore, the conntrack will do that 
work for you.

b) use the same code as ip_conntrack does:

http://lxr.linux.no/source/net/ipv4/netfilter/ip_conntrack_core.c#L826
http://lxr.linux.no/source/net/ipv4/netfilter/ip_conntrack_standalone.c#L201

cheers,
Pablo

Re: Inbound packet buffering

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1149 bytes --]

On Mon, Jan 19, 2004 at 06:34:54AM -0800, Doug SC wrote:
> Good Morning.
> 
> I have a kernel driver which has registered for
> inbound packets.
> 
> nf_register_hook(...NF_IP_PRE_ROUTING...)
> 
> I am looking to take action on certain UDP ports on
> packets which may exceed MTU.  I see the fragmented
> packets at this hook and since I can't be certain of
> the order of receipt I need to buffer packets until I
> receive the fragment which contains the ports.
> 
> Once I can see the port I may want to send all the
> packets I have buffered plus the one that allowed me
> to make the decision.

please look at the implementation of ip_queue.c and it's use of
nf_reinject().  It should provide a good example of exactly what you want to do.

> Thanks

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]