ip_queue questions

ip_queue questions

[Peter Enderborg]

Is there any non trivial example of howto use netlink?
A non trivial is something that use do something with the packet and 
returns a modifyed packet form userland.
And is there any way to do matching rule in userland? ipq_set_verdict() 
must have NF_ACCEPT or NF_DROP.
I whould like to do something similar to the MARK, just modify the data 
and then continue.


-- 
foo!

Re: ip_queue questions

[Jonas Berlin]

Peter Enderborg wrote:

> Is there any non trivial example of howto use netlink?

No, it's pretty trivial to do anything with libipq imo :D

> A non trivial is something that use do something with the packet and 
> returns a modifyed packet form userland.

This code has never been used, I just wrote it for you :)

void handle(void)
{
    static unsigned char packet[65536];

    // fetch data
    if(ipq_read(ipq_h, packet, sizeof(packet), 0) < 0) {
       ipq_perror("ipq_read");
       return;
    }

    // check type
    if (ipq_message_type(packet) != IPQM_PACKET) {
       fprintf(stderr, "Received error message %d\n",
               ipq_get_msgerr(packet));
       return;
    }

    ipq_packet_msg_t *msg = ipq_get_packet(packet);

    // ensure we got some data (maybe I'm paranoid)
    if(msg->data_len == 0) {
       ipq_set_verdict(ipq_h, msg->packet_id, NF_DROP, 0, 0);
       return;
    }

    // IP, TCP etc structs I have copypasted from /usr/include/linux/ip.h etc
    struct iphdr *iph = (struct iphdr *)msg->payload;

    // let's say we want to remove all ip options
    // get pointer to start of ip options..
    unsigned char *options = &iph[1];
    // .. and current end of ip header = end of ip options
    unsigned char *options_end = ((unsigned *)iph) + iph->ihl;

    if(end_of_options == options) {
       // no options, do nothing and accept
       ipq_set_verdict(ipq_h, msg->packet_id, NF_ACCEPT, 0, 0);
       return;
    }

    // kill!
    memmove(options, options_end,
           (unsigned char *)iph + msg->data_len - options_end);

    // update lengths
    iph->ihl = sizeof(struct iphdr) / 4;
    iph->tot_len -= options_end - options;

    // ##TODO## update checksum maybe

    ipq_set_verdict(ipq_h, msg->packet_id, NF_ACCEPT,
                    msg->data_len - (options_end - options), msg->payload);
}

Hope you get some idea.. And hope I didn't do it the wrong way or something :)

> And is there any way to do matching rule in userland? ipq_set_verdict() 
> must have NF_ACCEPT or NF_DROP.
> I whould like to do something similar to the MARK, just modify the data 
> and then continue.

Currently, no :/

Maybe some day.. I don't know enough (yet) to do it myself..

-- 
- xkr47

Re: ip_queue questions

[Peter Enderborg]

Jonas Berlin wrote:

> Peter Enderborg wrote:
>
>> Is there any non trivial example of howto use netlink?
>
>
> No, it's pretty trivial to do anything with libipq imo :D
>
>> A non trivial is something that use do something with the packet and 
>> returns a modifyed packet form userland.
>
>
> This code has never been used, I just wrote it for you :)
>
> void handle(void)
> {
>    static unsigned char packet[65536];
>
>    // fetch data
>    if(ipq_read(ipq_h, packet, sizeof(packet), 0) < 0) {
>       ipq_perror("ipq_read");
>       return;
>    }
>
>    // check type
>    if (ipq_message_type(packet) != IPQM_PACKET) {
>       fprintf(stderr, "Received error message %d\n",
>               ipq_get_msgerr(packet));
>       return;
>    }
>
>    ipq_packet_msg_t *msg = ipq_get_packet(packet);
>
>    // ensure we got some data (maybe I'm paranoid)
>    if(msg->data_len == 0) {
>       ipq_set_verdict(ipq_h, msg->packet_id, NF_DROP, 0, 0);
>       return;
>    }
>
>    // IP, TCP etc structs I have copypasted from 
> /usr/include/linux/ip.h etc
>    struct iphdr *iph = (struct iphdr *)msg->payload;
>
>    // let's say we want to remove all ip options
>    // get pointer to start of ip options..
>    unsigned char *options = &iph[1];
>    // .. and current end of ip header = end of ip options
>    unsigned char *options_end = ((unsigned *)iph) + iph->ihl;
>
>    if(end_of_options == options) {
>       // no options, do nothing and accept
>       ipq_set_verdict(ipq_h, msg->packet_id, NF_ACCEPT, 0, 0);
>       return;
>    }
>
>    // kill!
>    memmove(options, options_end,
>           (unsigned char *)iph + msg->data_len - options_end);
>
>    // update lengths
>    iph->ihl = sizeof(struct iphdr) / 4;
>    iph->tot_len -= options_end - options;
>
>    // ##TODO## update checksum maybe
>
>    ipq_set_verdict(ipq_h, msg->packet_id, NF_ACCEPT,
>                    msg->data_len - (options_end - options), 
> msg->payload);
> }
>
> Hope you get some idea.. And hope I didn't do it the wrong way or 
> something :)
>
Thanks. I think on track now.  But this makes it imposible to modify 
mark. (in ipq_packet_msg_t)
And the MARK target is not avaible in "-t filter" section.  The idea is 
to have diffrent rules in the
QUEUE for userland. But I can only have one netlink queue, right? And I 
can't tag my pakets in the
"filter FORWARD" section where I need to have my userland QUEUE's. Hmm, 
life is hard :-(

>> And is there any way to do matching rule in userland? 
>> ipq_set_verdict() must have NF_ACCEPT or NF_DROP.
>> I whould like to do something similar to the MARK, just modify the 
>> data and then continue.
>
>
> Currently, no :/
>
> Maybe some day.. I don't know enough (yet) to do it myself..
>


-- 
foo!

Re: ip_queue questions

[Pablo Neira]

Peter Enderborg wrote:
> I whould like to do something similar to the MARK, just modify the data 
> and then continue.

Look for ip_queue_vwmark in pom-ng, that enables the nfmark modification.

AFAIK that patch surely won't ever get in kernel mainline since there's 
a more simple way to export nfmark (just adding it to the message). This 
  breaks backward compatibility with current application though.

--
Pablo