From: Emmanuel Guiton <emmanuel@netlab.hut.fi>
To: lmn@mail.xprtsol.com
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: change ip address in the hook
Date: Wed, 31 Mar 2004 08:16:25 +0300 [thread overview]
Message-ID: <406A5429.5000009@netlab.hut.fi> (raw)
In-Reply-To: 20040331000800.GB24425@mail.xprtsol.com
Hi!
I think you can use ip_fast_csum() (I use it for similar purpose),
however a faster function may exist.
Each time you change an IP field the checksum has to be calculated
again. The IP checksum covers every field in the IP header, including
the ones that will surely change (like TTL).
I looked briefly at the ipt_MIRROR.c target and I guess it does not need
to calculate a new checksum as it does not change. The IP addresses are
just inverted, so it is still the same data which is covered by the
checksum.
Emanuel
lmn@mail.xprtsol.com wrote:
>Hello,
>
>Thanks so much. I just found out the reason may be that I didn't do IP checksum after I changed the source IP in the LOCAL_OUT hook. Is the ip_fast_csum() good to use here? Also I want to change the destination IP of an incoming packet in PRE_ROUTING hook, do I need to calculate the checksum at this point again?
>
>I read the ipt_MIRROR.c and didn't see IP checksum there. Maybe it just exchanges source IP with destination IP, and the checksum algorithm will get the same result.
>
>Regards,
>
>LMN
>
>On Tue, Mar 30, 2004 at 08:13:53AM +0300, Emmanuel Guiton wrote:
>
>
>>Hi!
>>
>>Can you be a bit more precise in what you do when you "change the ip
>>address of a packet in the LOCAL_OUT hook and let it send out"? What are
>>all the operations you do? Which address (source / destination) do you
>>change? Do you calculate a new IP checksum after having changed the IP
>>address?
>>
>> Emmanuel
>>
>>
>>lmn@mail.xprtsol.com wrote:
>>
>>
>>
>>>Hi,
>>>
>>>For example, I want to change the ip address of a packet in the LOCAL_OUT
>>>hook and let it send out, but I didn't see the packet on the wire. (Route
>>>for the modified ip addresses existed.) Similar things happen for the
>>>PRE_ROUTING hook. This is like doing the NAT manually.
>>>
>>>If I use iptables command to add a rule doing the similar function, I can
>>>see the packet was sent out. So what is the difference inside these two
>>>approaches?
>>>
>>>Thanks,
>>>
>>>LMN
>>>
>>>
>>>
>>>
>>>
>>
>>
prev parent reply other threads:[~2004-03-31 5:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-28 21:57 change ip address in the hook lmn
2004-03-30 5:13 ` Emmanuel Guiton
2004-03-31 0:08 ` lmn
2004-03-31 5:16 ` Emmanuel Guiton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=406A5429.5000009@netlab.hut.fi \
--to=emmanuel@netlab.hut.fi \
--cc=lmn@mail.xprtsol.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.