Mangling IP Options fields

Mangling IP Options fields

[Quinton Hoole]

[-- Attachment #1: Type: text/plain, Size: 648 bytes --]

Hi

This newbie needs to add and/or rewrite data in the IP Options fields. 
The MANGLE chain looks like the place to do this, but I don't see the 
appropriate target extensions to achieve it.  It seems easy to mangle 
most other fields (DSCP, ECN, TOS, TTL etc) but no mention of the 
OPTIONS fields.  

Is mangling of IP options fields supported by netfilter/iptables?

If not, I'm going to have to make it happen some how.  Any pointers 
towards the recommended approach in this regard would be appreciated.  
I'm assuming that I'll have to alter the netfilter/iptables code 
appropriately, which is not a problem.

Thanks in advance...

Quinton

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3244 bytes --]

Re: Mangling IP Options fields

[Tobias DiPasquale]

On 5/16/05, Quinton Hoole <quinton@hoole.biz> wrote:
> This newbie needs to add and/or rewrite data in the IP Options fields.
> The MANGLE chain looks like the place to do this, but I don't see the
> appropriate target extensions to achieve it.  It seems easy to mangle
> most other fields (DSCP, ECN, TOS, TTL etc) but no mention of the
> OPTIONS fields.
> 
> Is mangling of IP options fields supported by netfilter/iptables?

Which IP options are you looking to be able to mangle? If you just
need to be able to mangle the MSS, then check out the TCPMSS target
included in the vanilla Linux kernel. This would also be a good place
to start if you need to create an iptables target that mangles an IP
option of another type. You might also check out the IPV4OPTSSTRIP
target in patch-o-matic (http://svn.netfilter.org), but I don't know
how much utility this will have for you.

-- 
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d

Re: Mangling IP Options fields

[Quinton Hoole]

[-- Attachment #1: Type: text/plain, Size: 937 bytes --]



Tobias DiPasquale wrote:

>On 5/16/05, Quinton Hoole <quinton@hoole.biz> wrote:
>  
>
>>This newbie needs to add and/or rewrite data in the IP Options fields.
>>The MANGLE chain looks like the place to do this, but I don't see the
>>appropriate target extensions to achieve it.  It seems easy to mangle
>>most other fields (DSCP, ECN, TOS, TTL etc) but no mention of the
>>OPTIONS fields.
>>
>>Is mangling of IP options fields supported by netfilter/iptables?
>>    
>>
>
>Which IP options are you looking to be able to mangle? If you just
>need to be able to mangle the MSS, then check out the TCPMSS target
>included in the vanilla Linux kernel. 
>
I'll be needing to mangle other fields.  My ultimate goal is to "stamp" 
a 32 or 64 bit value into each packet for security reasons. 

>This would also be a good place
>to start if you need to create an iptables target that mangles an IP
>option of another type. 
>
Great, thanks.

Q

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3244 bytes --]

Re: Mangling IP Options fields

[Frank Abel]

Hi all!
You don't want "to alter the netfilter/iptables code", libipq can resolve
your problem if you dont't want high speed or if you only need you mangle
some packet. besides you can uses libipq to prototype the final
implementation. Look up in this list messages which have in subject the word
libipq. Other source of information is man libipq. In the web there is many
examples of programs that alter the IP header.

Salute
Frank Abel

----- Original Message ----- 
From: "Quinton Hoole" <quinton@hoole.biz>
To: <netfilter@lists.netfilter.org>
Sent: Monday, May 16, 2005 5:22 AM
Subject: Mangling IP Options fields


> Hi
>
> This newbie needs to add and/or rewrite data in the IP Options fields.
> The MANGLE chain looks like the place to do this, but I don't see the
> appropriate target extensions to achieve it.  It seems easy to mangle
> most other fields (DSCP, ECN, TOS, TTL etc) but no mention of the
> OPTIONS fields.
>
> Is mangling of IP options fields supported by netfilter/iptables?
>
> If not, I'm going to have to make it happen some how.  Any pointers
> towards the recommended approach in this regard would be appreciated.
> I'm assuming that I'll have to alter the netfilter/iptables code
> appropriately, which is not a problem.
>
> Thanks in advance...
>
> Quinton
>

Re: Mangling IP Options fields

[Quinton Hoole]

[-- Attachment #1: Type: text/plain, Size: 1962 bytes --]



Frank Abel wrote:

>Hi all!
>You don't want "to alter the netfilter/iptables code", libipq can resolve
>your problem if you dont't want high speed or if you only need you mangle
>some packet. besides you can uses libipq to prototype the final
>implementation. Look up in this list messages which have in subject the word
>libipq. Other source of information is man libipq. In the web there is many
>examples of programs that alter the IP header.
>
>Salute
>Frank Abel
>
>  
>
Thanks Frank

I looked into the libipq user space queueing option, but unfortunately 
switching to user space is not feasble in my case (every single packet 
on a GBit ethernet needs to be stamped, and resource utilisation is a 
big issue).  Some further reading of the netfilter FAQ has revealed that 
patch-o-matic based extensions seem to be the way that others have 
achieved things similar to my aims.

http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-4.html

Can anyone confirm that I'm heading in the right direction?

Thanks in advance...

Quinton

>----- Original Message ----- 
>From: "Quinton Hoole" <quinton@hoole.biz>
>To: <netfilter@lists.netfilter.org>
>Sent: Monday, May 16, 2005 5:22 AM
>Subject: Mangling IP Options fields
>
>
>  
>
>>Hi
>>
>>This newbie needs to add and/or rewrite data in the IP Options fields.
>>The MANGLE chain looks like the place to do this, but I don't see the
>>appropriate target extensions to achieve it.  It seems easy to mangle
>>most other fields (DSCP, ECN, TOS, TTL etc) but no mention of the
>>OPTIONS fields.
>>
>>Is mangling of IP options fields supported by netfilter/iptables?
>>
>>If not, I'm going to have to make it happen some how.  Any pointers
>>towards the recommended approach in this regard would be appreciated.
>>I'm assuming that I'll have to alter the netfilter/iptables code
>>appropriately, which is not a problem.
>>
>>Thanks in advance...
>>
>>Quinton
>>
>>    
>>
>
>
>
>
>
>
>
>
>  
>

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3244 bytes --]

Re: Mangling IP Options fields

[Tobias DiPasquale]

On 5/16/05, Quinton Hoole <quinton@hoole.biz> wrote:
> I looked into the libipq user space queueing option, but unfortunately
> switching to user space is not feasble in my case (every single packet
> on a GBit ethernet needs to be stamped, and resource utilisation is a
> big issue).  Some further reading of the netfilter FAQ has revealed that
> patch-o-matic based extensions seem to be the way that others have
> achieved things similar to my aims.
> 
> http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-4.html
> 
> Can anyone confirm that I'm heading in the right direction?

You are headed in the right direction. I will say two more things:

1. What you are trying to do is very simple and shouldn't require much
deviation from iptables targets that already exist w/r/t coding
ability. Just make sure you know the pertinent RFCs and have a fast
machine to compile on.

2. You will need 2-3 CPUs (x86) to keep up with GBit forwarding + netfilter.

-- 
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d

Re: Mangling IP Options fields

[Quinton Hoole]

[-- Attachment #1: Type: text/plain, Size: 842 bytes --]


>On 5/16/05, Quinton Hoole <quinton@hoole.biz> wrote:
>  
>
>>big issue).  Some further reading of the netfilter FAQ has revealed that
>>patch-o-matic based extensions seem to be the way that others have
>>achieved things similar to my aims.
>>
>>http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-4.html
>>
>>Can anyone confirm that I'm heading in the right direction?
>>    
>>
>
>  
>
Incidently, I'd ideally like to avoid patching the kernel (for fairly 
obvious reasons).  Is anyone aware of a way to instruct something in 
kernel space (in the standard kernel) to stamp values into the IP 
options fields.  I understand that this does not appear to be possible 
with the standard netfilter implementation, but perhaps there is another 
kernel module which will  do the trick?  Any pointers appreciated.

Quinton


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3244 bytes --]

Mangling IP Options fields

[Quinton Hoole]

[-- Attachment #1: Type: text/plain, Size: 1088 bytes --]

Hi

I've posted this to the netfilter users list, but in retrospect it is 
probably a devel question:

This newbie needs to add and/or rewrite data in the IP Options fields.
The MANGLE chain looks like the place to do this, but I don't see the
appropriate target extensions to achieve it.  It seems easy to mangle
most other fields (DSCP, ECN, TOS, TTL etc) but no mention of the
OPTIONS fields.

Is mangling of IP options fields supported by netfilter/iptables?

I've seen Fabrice's reply to a simimlar question some 3 years back:

https://lists.netfilter.org/pipermail/netfilter-devel/2002-March/006957.html

which indicates that I'll need to do some hacking, but hopefully this 
has changed since then, and someone's done it for me ;-)

If not, I'm going to have to make it happen some how.  Any pointers
towards the recommended approach in this regard would be appreciated.
I'm assuming that I'll have to alter the netfilter/iptables code
appropriately, which is not a problem.  I'll start ploughing through the 
patch-o-matic docs in the mean time ;-)

Thanks in advance...

Quinton

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3244 bytes --]

Re: Mangling IP Options fields

[Jonas Berlin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quoting Quinton Hoole on 2005-05-16 12:38 UTC:
> Is mangling of IP options fields supported by netfilter/iptables?
> 
> I've seen Fabrice's reply to a simimlar question some 3 years back:
> 
> https://lists.netfilter.org/pipermail/netfilter-devel/2002-March/006957.html

I think nothing has changed. The IPV4OPTSSTRIP mentioned in the mail
(which removes all options) is still available.

You can download the latest pom-ng (through www.netfilter.org), which
includes IPV4OPTSSTRIP. If you need more help regarding how to do stuff
in the net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c file (which is the one you
should modify), just ask :)

Good luck!

- --
- - xkr47
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCiOnVxyF48ZTvn+4RAj5zAJwKMG2mfElgS26RV2PRwwcIGuYBPwCfdJnv
RtaGxlBLe/NpODfN5b7zob4=
=9Bp4
-----END PGP SIGNATURE-----

Re: Mangling IP Options fields

[Quinton Hoole]

[-- Attachment #1: Type: text/plain, Size: 2313 bytes --]

Hi Jonas

Thanks for your kind offer of help! I assume you meant it ;-)  If so, 
here goes...

I've been struggling to get a working development platform, and finally 
have a Fedora Core 3 system, with kernel-2.6.11-1.14_FC3, which I've 
built from source and tested.

Now I try to use patch-o-matic to apply the IPV4OPTSSTRIP patch, but get 
the following error:
===================
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Testing patch base/IPV4OPTSSTRIP.patch...
Warning - no help text file could be found in either
/usr/src/linux/net/ipv4/netfilter/Config.help
or /usr/src/linux/Documentation/Configure.help
fgrep: /usr/src/linux/net/ipv4/netfilter/Config.in: No such file or 
directory
Could not find place to slot in Config.in line
TEST FAILED: patch NOT applied.
===================

I installed the kernel source RPM according to the instructions in the 
FC3  (http://fedora.redhat.com/docs/release-notes/fc3/x86/), which 
places  the kernel source in

/usr/src/redhat/BUILD/kernel-2.6.11/linux-2.6.11

For convenience I  created a symbolic link from /usr/src/linux to the above.

Then by executing the following I got the error above:
[root@quinton-lap1 patch-o-matic]# KERNEL_DIR=/usr/src/linux ./runme base

What am I doing wrong?  Should I be using a standard kernel from 
kernel.org, rather than my FC3 kernel?

Q
 

Jonas Berlin wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Quoting Quinton Hoole on 2005-05-16 12:38 UTC:
>  
>
>>Is mangling of IP options fields supported by netfilter/iptables?
>>
>>I've seen Fabrice's reply to a simimlar question some 3 years back:
>>
>>https://lists.netfilter.org/pipermail/netfilter-devel/2002-March/006957.html
>>    
>>
>
>I think nothing has changed. The IPV4OPTSSTRIP mentioned in the mail
>(which removes all options) is still available.
>
>You can download the latest pom-ng (through www.netfilter.org), which
>includes IPV4OPTSSTRIP. If you need more help regarding how to do stuff
>in the net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c file (which is the one you
>should modify), just ask :)
>
>Good luck!
>
>- --
>- - xkr47
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (GNU/Linux)
>
>iD8DBQFCiOnVxyF48ZTvn+4RAj5zAJwKMG2mfElgS26RV2PRwwcIGuYBPwCfdJnv
>RtaGxlBLe/NpODfN5b7zob4=
>=9Bp4
>-----END PGP SIGNATURE-----
>
>
>  
>

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3244 bytes --]

Re: Mangling IP Options fields

[Amin Azez]

Apologies if these comments (below) seem obvious:

Quinton Hoole wrote:
> Warning - no help text file could be found in either
> /usr/src/linux/net/ipv4/netfilter/Config.help
> or /usr/src/linux/Documentation/Configure.help
> fgrep: /usr/src/linux/net/ipv4/netfilter/Config.in: No such file or 
> directory
...
> I installed the kernel source RPM according to the instructions in the 
> FC3  (http://fedora.redhat.com/docs/release-notes/fc3/x86/), which 
> places  the kernel source in
> 
> /usr/src/redhat/BUILD/kernel-2.6.11/linux-2.6.11
> 
> For convenience I  created a symbolic link from /usr/src/linux to the 
> above.

So, do:
ls -l /usr/src/linux/net/ipv4/netfilter
and see what you get, if it doesn't work then you may need to adjust 
your symbolic link to point to 
/usr/src/redhat/BUILD/kernel-2.6.11/linux-2.6.11/somewhereelse

I presume there is a net folder somewhere under 
/usr/src/redhat/BUILD/kernel-2.6.11/linux-2.6.11?

It is the folder that includes this net folder that needs to be 
symlinked to /usr/src/linux.

Sam

Re: Mangling IP Options fields

[Quinton Hoole]

[-- Attachment #1: Type: text/plain, Size: 1218 bytes --]

Sorry - turns out I was using an old patch-o-matic.  Once  got the right 
one, everything worked fine.

Q

Amin Azez wrote:

> Apologies if these comments (below) seem obvious:
>
> Quinton Hoole wrote:
>
>> Warning - no help text file could be found in either
>> /usr/src/linux/net/ipv4/netfilter/Config.help
>> or /usr/src/linux/Documentation/Configure.help
>> fgrep: /usr/src/linux/net/ipv4/netfilter/Config.in: No such file or 
>> directory
>
> ...
>
>> I installed the kernel source RPM according to the instructions in 
>> the FC3  (http://fedora.redhat.com/docs/release-notes/fc3/x86/), 
>> which places  the kernel source in
>>
>> /usr/src/redhat/BUILD/kernel-2.6.11/linux-2.6.11
>>
>> For convenience I  created a symbolic link from /usr/src/linux to the 
>> above.
>
>
> So, do:
> ls -l /usr/src/linux/net/ipv4/netfilter
> and see what you get, if it doesn't work then you may need to adjust 
> your symbolic link to point to 
> /usr/src/redhat/BUILD/kernel-2.6.11/linux-2.6.11/somewhereelse
>
> I presume there is a net folder somewhere under 
> /usr/src/redhat/BUILD/kernel-2.6.11/linux-2.6.11?
>
> It is the folder that includes this net folder that needs to be 
> symlinked to /usr/src/linux.
>
> Sam
>
>

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3244 bytes --]

Re: Mangling IP Options fields

[Jonas Berlin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quoting Quinton Hoole on 2005-05-19 12:58 UTC:

> Hi Jonas

Hello!

> Thanks for your kind offer of help! I assume you meant it ;-)  If so,
> here goes...

Sorry for late reply..

> Now I try to use patch-o-matic to apply the IPV4OPTSSTRIP patch, but get

Do you possibly mean patch-o-matic-ng (ng = next generation :) ?

If not, you should fetch the latest snapshot from:

http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/

> the following error:
> ===================
> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
> Testing patch base/IPV4OPTSSTRIP.patch...
> Warning - no help text file could be found in either
> /usr/src/linux/net/ipv4/netfilter/Config.help
> or /usr/src/linux/Documentation/Configure.help
> fgrep: /usr/src/linux/net/ipv4/netfilter/Config.in: No such file or
> directory
> Could not find place to slot in Config.in line
> TEST FAILED: patch NOT applied.
> ===================

At least it worked for me with vanilla 2.6.11.

> I installed the kernel source RPM according to the instructions in the
> FC3  (http://fedora.redhat.com/docs/release-notes/fc3/x86/), which
> places  the kernel source in

The error message makes me think you have the old patch-o-matic or an
outdated patch-o-matic-ng..

> Then by executing the following I got the error above:
> [root@quinton-lap1 patch-o-matic]# KERNEL_DIR=/usr/src/linux ./runme base

FYI: You can also use

  ./runme IPV4OPTSSTRIP

if you want just some specific patch.

> What am I doing wrong?  Should I be using a standard kernel from
> kernel.org, rather than my FC3 kernel?

I think it should work fine on both.

- --
- - xkr47
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCoXMoxyF48ZTvn+4RAnxqAJ9SHLZMzz6tB8NLiS0i10Fk28BLAACfdyHW
3Vl5s1bLsWtkOAIAO89u0+w=
=1cBw
-----END PGP SIGNATURE-----