Question about IP rerouting at POST_ROUTE_HOOK

Question about IP rerouting at POST_ROUTE_HOOK

[Glenn.Swonk]

I have written a netfilter module that loads as a kernel loadable module.

I am hooking into the NF_IP_POST_ROUTING hook.

I am trying to change the destination (IP address) of the packet at this
point and am having a problem.

I am able to change the dest IP address but it is sent out with the
original IP destination's  MAC address.

I cannot seem to change the destination MAC address at this point.

Is there a problem with changing the IP address (by manipulation of the
skbuf data structure) or
is a better method.

Any suggestions?

thanks,
glenn







Glenn Swonk
Toshiba America Information System
9740 Irvine Blvd.
Irvine, CA 92618

949-587-6530
gswonk at tais.com

Not Done = Less than 100%
Testing is never finished, only abandoned...

Re: Question about IP rerouting at POST_ROUTE_HOOK

[Patrick McHardy]

Glenn.Swonk@tais.com wrote:
> I have written a netfilter module that loads as a kernel loadable module.
> 
> I am hooking into the NF_IP_POST_ROUTING hook.
> 
> I am trying to change the destination (IP address) of the packet at this
> point and am having a problem.
> 
> I am able to change the dest IP address but it is sent out with the
> original IP destination's  MAC address.
> 
> I cannot seem to change the destination MAC address at this point.

You need to make a new route lookup with the changed IP.
The easiest way of doing so is using ip_route_me_harder, it also
does all the work like relocating the packet if the headroom is
too small for the new output device etc.

Regards
Patrick

> 
> Is there a problem with changing the IP address (by manipulation of the
> skbuf data structure) or
> is a better method.
> 
> Any suggestions?
> 
> thanks,
> glenn
> 
> 
> 
> 
> 
> 
> 
> Glenn Swonk
> Toshiba America Information System
> 9740 Irvine Blvd.
> Irvine, CA 92618
> 
> 949-587-6530
> gswonk at tais.com
> 
> Not Done = Less than 100%
> Testing is never finished, only abandoned...
> 
> 

Updating a modular ip_queue

[Scott MacKay]

Hello,
    I would like to pass back more info to a userspace
ip_queue target than the current ipq_packet_msg
allows.  My thought was to add on the fields I wanted
to the structure.  A few quick greps and it appears
the only one who use a ipq_packet_msg in the kernel is
the ip_queue source file.  Optionally, if there is a
good method of passing session info already, that
would be good to know.
I plan to build ip_queue in module format and compile
the libraries by hand (so the libs get the full
ip_packet_msg definition).  On doing this, do I really
need to anything to the distributed kernel other than
copy the ip_queue.o object file into the /lib area?  

__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools

Re: Updating a modular ip_queue

[Henrik Nordstrom]

On Mon, 1 Mar 2004, Scott MacKay wrote:

> I plan to build ip_queue in module format and compile
> the libraries by hand (so the libs get the full
> ip_packet_msg definition).  On doing this, do I really
> need to anything to the distributed kernel other than
> copy the ip_queue.o object file into the /lib area?  

Not that I know of. The structure is as you mention internal to ip_queue 
and not used by any other parts of the kernel.

Regards
Henrik

Re: Question about IP rerouting at POST_ROUTE_HOOK

[Henrik Nordstrom]

On Sun, 29 Feb 2004 Glenn.Swonk@tais.com wrote:

> I am trying to change the destination (IP address) of the packet at this
> point and am having a problem.
> 
> I am able to change the dest IP address but it is sent out with the
> original IP destination's  MAC address.

See ip_route_me_harder usage in iptables (iptable_mangle is a good and
clear example on this)

As you have hooked in to the IP kernel after routing have already taken 
place it is your responsibility to rerout the packet if you make 
modifications which should affect how the packet is routed.

Regards
Henrik