TCP-packet with PUSH flag with wrong payload data in LOCAL_OUT hook.

TCP-packet with PUSH flag with wrong payload data in LOCAL_OUT hook.

[Кобылянский Владимир]

Hi.

First of all - I am a beginner in kernel programming, so my question can
be very stupid. Sorry.

I try to write simple firewall module and I find incomprehensible (at
least for me) thing.

I have Linux-machine with 2.6.17 kernel with my firewall module.
My module register two hooks - LOCAL_OUT and PRE_ROUTING.
With wget I try to download index.html from external WWW-server.

I see in my module 3 handshake packets - they all normal.
Then I see first packet with payload - it is TCP-packet with PSH and ACK
flags and it is not normal at all.

In this packet in tcp-data area I MUST see such string:
"GET / HTTP/1.1..."
or in HEX
"4745 5420 2f20 4854 5450 2f31 2e31 ..."
BUT I see such data in it:
"0200 0100 0100 0000 0100 0000 0000 ....".

As you can see - payload data wrong. IP and TCP headers - all normal.
Length normal.

Even more - if I return NF_ACCEPT on this packet - WWW-server got normal
packet with normal payload data.

If I use my Linux-machine as gateway (and catch forwarding packets by
PRE_ROUTING hook) - I see this packet with normal data inside.


So, I have some questions:

1) Is it possible?
2) If it is possible - what happens and where I can get normal payload data?


P.S.: sorry if repeated question - I really was trying to find it in
archive.

P.P.S.: sorry for my English.

Re: TCP-packet with PUSH flag with wrong payload data in LOCAL_OUT hook.

[Jan Engelhardt]

On Wednesday 2009-01-21 19:01, Кобылянский Владимир wrote:
>
>I see in my module 3 handshake packets - they all normal.
>Then I see first packet with payload - it is TCP-packet with PSH and ACK
>flags and it is not normal at all.

It could be something in your code (which seem to be absent here).

>In this packet in tcp-data area I MUST see such string:
>"GET / HTTP/1.1..."
>or in HEX
>"4745 5420 2f20 4854 5450 2f31 2e31 ..."
>BUT I see such data in it:
>"0200 0100 0100 0000 0100 0000 0000 ....".

Could be TCP options. Payload could be begin in a later packet maybe.
Or somewhere in your code you have a wrong pointer.
I don't read glass spheres so...
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: TCP-packet with PUSH flag with wrong payload data in LOCAL_OUT hook.

[Jan Engelhardt]

>  kent@lissi.ru
>    SMTP error from remote mail server after end of data:
>    host 194.84.136.194 [194.84.136.194]: 550 5.7.1 Message rejected.

Should - have - known.





>On Wednesday 2009-01-21 19:01, Кобылянский Владимир wrote:
>>
>>I see in my module 3 handshake packets - they all normal.
>>Then I see first packet with payload - it is TCP-packet with PSH and ACK
>>flags and it is not normal at all.
>>In this packet in tcp-data area I MUST see such string:
>>"GET / HTTP/1.1..."
>>or in HEX
>>"4745 5420 2f20 4854 5450 2f31 2e31 ..."
>>BUT I see such data in it:
>>"0200 0100 0100 0000 0100 0000 0000 ....".
>
>Could be TCP options. Payload could be begin in a later packet maybe.
>Or somewhere in your code you have a wrong pointer.
>I don't read glass spheres so...[...]
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html