How can I get these packets in the user space application?

How can I get these packets in the user space application?

[Srinivas G.]

Dear all,

I have developed a very simple/small net filter driver to capture the
network packets from my network path. It was working fine. Whenever a
packet goes through my network path it was simply prints a message. It
was printing the messages fine.

The kernel version is 2.4.18-3 with Red Hat 7.3

My question is: How can I get these packets in the user space
application?
What APIs can I use? Is there any specific APIs are available? If
possible give some links or sample code which explains about it.

Please see the code attached below.

========================================================================
===================

#include <linux/module.h>		/* for module parameters */
#include <linux/kernel.h>		/* for printk function */
#include <linux/init.h>			/* for module explicit
definitions */
#include <linux/netfilter.h>		/* for netfilter structure */
#include <linux/netfilter_ipv4.h>	/* for IPv4 specific defines */
#include <linux/vmalloc.h>		/* for vmalloc function */

#ifdef NETFILTER_DBG
#define PRINTK(fmt,arg...) printk("NET_DBG <%s> | "
fmt,__FUNCTION__,##arg); #else #define PRINTK(fmt,arg...) while(0)
#endif

/* define the maximum packet buffer */
#define MAX_PACK_BUFF   2048

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Srinivas G at ESN Technologies");

/* define netfilter structure here */
static struct nf_hook_ops netfilter_hook;

/* pointer to a buffer */
unsigned char *ptr_packet_buff;

/* function prototype which is called when a packet arrives */ unsigned
int netfilter_drv_hook(unsigned int hooknum, 
				struct sk_buff **skb,
		      		const struct net_device *in, 
				const struct net_device *out,
		      		int (*okfn)(struct sk_buff *))
{
	PRINTK("One Packet arrvied!\n");

	/* alocate the packet buffer */
	ptr_packet_buff = (unsigned char *)vmalloc(MAX_PACK_BUFF);
	
	/* the received packet was dropped here itself */
	return NF_DROP;
}
	
	

/* netfilter_init: initialization function */
static int
__init init_netfilter(void)
{
	PRINTK("invoked!\n");
	
	/* assign the function pointer */
	netfilter_hook.hook = netfilter_drv_hook;

	/* assign the protocol family i.e. IPv4 */
	netfilter_hook.pf = PF_INET;

	/* assign the hook number like NF_IP_LOCAL_IN etc. */
	netfilter_hook.hooknum = NF_IP_PRE_ROUTING;

	/* assign the hook priority */
	netfilter_hook.priority = NF_IP_PRI_FIRST;

	/* register the netfilter driver with pointer to structure */
	nf_register_hook(&netfilter_hook);

	return 0;
}

/* netfilter_exit: cleanup function */
static void
__exit netfilter_exit(void)
{
	PRINTK("invoked!\n");

	/* unregister the driver */
	nf_unregister_hook(&netfilter_hook);
	
}

/* explicit module definitions */
module_init(init_netfilter);
module_exit(netfilter_exit);

========================================================================
====

Any help greatly appreciated.

Thanks and regards,
Srinivas G

Re: How can I get these packets in the user space application?

[Henrik Nordstrom]

yOn Wed, 8 Dec 2004, Srinivas G. wrote:

> My question is: How can I get these packets in the user space
> application?

Depends on what you want to do with the packet. If you intend to have them 
returned back to the kernel then QUEUE is the best action.

If you only want to have them sent to userspace then a more lean design 
may be desireable.

Regards
Henrik

Re: How can I get these packets in the user space application?

[Ravi Kumar]

Lets say we wish to modify the packets in user space, then I think QUEUE 
is not the way, is my understanding right?

If so, what approach is followed to get packets to user space to modify 
them. Note that I understand performance issues in moving packets from 
kernel space to user space and back.

-Ravi

Henrik Nordstrom wrote:
> yOn Wed, 8 Dec 2004, Srinivas G. wrote:
> 
>> My question is: How can I get these packets in the user space
>> application?
> 
> 
> Depends on what you want to do with the packet. If you intend to have 
> them returned back to the kernel then QUEUE is the best action.
> 
> If you only want to have them sent to userspace then a more lean design 
> may be desireable.
> 
> Regards
> Henrik
> 

RE: How can I get these packets in the user space application?

[Srinivas G.]

> On Wed, 8 Dec 2004, Srinivas G. wrote:
> 
> > My question is: How can I get these packets in the user space
> > application?
> 
> Depends on what you want to do with the packet. If you intend to have
them
> returned back to the kernel then QUEUE is the best action.
> 
> If you only want to have them sent to userspace then a more lean
design
> may be desireable.
> 
> Regards
> Henrik

Dear Henrik,

Actually I am new to network device drivers. Please spend some time to
read this mail.

Actually I need to send the packets to user space and then in the user
space I need to do some calculations on the packet data and then I want
to send the packet back to kernel space.

According to Mr. Ravi Kumar from rocsys.com there is a performance issue
in moving packets from kernel space to user space and then back to
kernel space. Even though, I need to transmit the packets from kernel to
user space and back to kernel space.

I have gone through the documents that are available in the
netfilter.org. 
Especially I read the netfilter-hacking-HOWTO-4.html document which
explains about iptables, NAT and netfilter. I mainly concentrated on
netfilter driver. My understanding is as follows.

I send the sample code in the previous mail to you. 

I understood that queue the packet for user space handling. Finally we
can issue 'nf_reinject' to send the packet into the network path again.

I understood the some of the concepts about 'setsockopt' mechanism in
the netfilter driver which is useful for processing the user space
commands in the kernel. 

I understood the topics from the following link.
http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-4.
html

---------
My doubt is: How the user application can get the packet from the 'hook'
function? What APIs are used in the user space application to access the
packet from the hook function?

Thanks and regards,
Srinivas G

Re: How can I get these packets in the user space application?

[Maarten Wijnants]

Hello Srinivas G,

> My doubt is: How the user application can get the packet from the 'hook'
> function? What APIs are used in the user space application to access the
> packet from the hook function?

I am trying to understand your current situation. So you have a kernel 
module that is subscribed to a certain netfilter hook and as a result starts 
receiving packets; and now you want to pass these packets from your kernel 
module to a userspace application? Is this correct?

If this is your current situation, you should issue a NF_QUEUE verdict for 
arriving packets in your kernel module to queue the packets to userspace. 
Subsequently, you will need to create a userspace application to receive the 
queued packets and run it. You can use libipq to write a userspace 
application that will accept queued packets. See the man page of libipq for 
more information on how to do this (the man page contains a fully working 
example).

I hope this helps you. Regards,
Maarten 

Re: How can I get these packets in the user space application?

[Ravi Kumar]

Srinivas,
  You can use libipq library to get packets in user space and can also 
give verdicts. snort_inline uses this method to get packets to IDS 
engine which works in user space.

Regards,
-Ravi


Srinivas G. wrote:
>>On Wed, 8 Dec 2004, Srinivas G. wrote:
>>
>>
>>>My question is: How can I get these packets in the user space
>>>application?
>>
>>Depends on what you want to do with the packet. If you intend to have
> 
> them
> 
>>returned back to the kernel then QUEUE is the best action.
>>
>>If you only want to have them sent to userspace then a more lean
> 
> design
> 
>>may be desireable.
>>
>>Regards
>>Henrik
> 
> 
> Dear Henrik,
> 
> Actually I am new to network device drivers. Please spend some time to
> read this mail.
> 
> Actually I need to send the packets to user space and then in the user
> space I need to do some calculations on the packet data and then I want
> to send the packet back to kernel space.
> 
> According to Mr. Ravi Kumar from rocsys.com there is a performance issue
> in moving packets from kernel space to user space and then back to
> kernel space. Even though, I need to transmit the packets from kernel to
> user space and back to kernel space.
> 
> I have gone through the documents that are available in the
> netfilter.org. 
> Especially I read the netfilter-hacking-HOWTO-4.html document which
> explains about iptables, NAT and netfilter. I mainly concentrated on
> netfilter driver. My understanding is as follows.
> 
> I send the sample code in the previous mail to you. 
> 
> I understood that queue the packet for user space handling. Finally we
> can issue 'nf_reinject' to send the packet into the network path again.
> 
> I understood the some of the concepts about 'setsockopt' mechanism in
> the netfilter driver which is useful for processing the user space
> commands in the kernel. 
> 
> I understood the topics from the following link.
> http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-4.
> html
> 
> ---------
> My doubt is: How the user application can get the packet from the 'hook'
> function? What APIs are used in the user space application to access the
> packet from the hook function?
> 
> Thanks and regards,
> Srinivas G
> 
> 

RE: How can I get these packets in the user space application?

[Henrik Nordstrom]

On Thu, 9 Dec 2004, Srinivas G. wrote:

> Actually I need to send the packets to user space and then in the user
> space I need to do some calculations on the packet data and then I want
> to send the packet back to kernel space.

Perfect fit for QUEUE.

> I understood that queue the packet for user space handling. Finally we
> can issue 'nf_reinject' to send the packet into the network path again.

ip_queue manages all of this automatically for you. See libipq in the 
iptables package for how to write user-space side of things.

Unless you have very special demands you should not need to make any 
kernel changes, just use iptables as usual and send what you want to 
process in userspace to -j QUEUE

Regards
Henrik

Re: How can I get these packets in the user space application?

[Henrik Nordstrom]

On Thu, 9 Dec 2004, Ravi Kumar wrote:

> Lets say we wish to modify the packets in user space, then I think QUEUE is 
> not the way, is my understanding right?

QUEUE is the way for this. As part of the verdict from the userspace 
application you can include a modified packet payload.

see the libipq documentation.

Regards
Henrik