TCP-packet with PUSH flag with wrong payload data in LOCAL_OUT hook.

["Кобылянский Владимир" <kent@lissi.ru>]

Hi.

First of all - I am a beginner in kernel programming, so my question can
be very stupid. Sorry.

I try to write simple firewall module and I find incomprehensible (at
least for me) thing.

I have Linux-machine with 2.6.17 kernel with my firewall module.
My module register two hooks - LOCAL_OUT and PRE_ROUTING.
With wget I try to download index.html from external WWW-server.

I see in my module 3 handshake packets - they all normal.
Then I see first packet with payload - it is TCP-packet with PSH and ACK
flags and it is not normal at all.

In this packet in tcp-data area I MUST see such string:
"GET / HTTP/1.1..."
or in HEX
"4745 5420 2f20 4854 5450 2f31 2e31 ..."
BUT I see such data in it:
"0200 0100 0100 0000 0100 0000 0000 ....".

As you can see - payload data wrong. IP and TCP headers - all normal.
Length normal.

Even more - if I return NF_ACCEPT on this packet - WWW-server got normal
packet with normal payload data.

If I use my Linux-machine as gateway (and catch forwarding packets by
PRE_ROUTING hook) - I see this packet with normal data inside.


So, I have some questions:

1) Is it possible?
2) If it is possible - what happens and where I can get normal payload data?


P.S.: sorry if repeated question - I really was trying to find it in
archive.

P.P.S.: sorry for my English.