Sending packets from netfilter modules

Sending packets from netfilter modules

[Nils Rennebarth]

Hi,

I want to send a new packet that was created from scratch from within a netfilter module.

There are already examples in the kernel tree, e.g. in net/ipv4/netfilter/ipt_REJECT.c, so I modeled my code after these and got it working: The packets appear on the wire and are received by other hosts.

However, the packet is finally sent using ip_local_out, so from a firewall perspective, the packet appears out of thin air and then travels through the OUTPUT chain and out to the network device. What I want instead, is for the packet to take the same way as an incoming packet, i.e. travel through the PREROUTING chain, gets routed, travels through FORWARD, routed again travels through POSTROUTING and be sent out.

The reason is that my netfilter module acts as a man-in-the-middle in a router, and the self-generated packets should not circumvent the firewall or need a duplicated ruleset in the OUTPUT chain, etc.

I thought, something like netif_receive_skb or netif_rx may do what I want, but those rely on a prepared skb. Can someone point me into the right direction?
______________________________________________________
GRATIS für alle WEB.DE-Nutzer: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://movieflat.web.de

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Sending packets from netfilter modules

[Justin Yaple]

Hello Nils,

I am pretty new to this stuff, but if you would like your packet to
travel through all the paths an inbound packet would take maybe you
can insert it into the stack using ip_rcv()?  I think that should
treat it just like any other inbound packet.

Justin.

On Tue, Nov 17, 2009 at 7:13 AM, Nils Rennebarth <Nils.Rennebarth@web.de> wrote:
> Hi,
>
> I want to send a new packet that was created from scratch from within a netfilter module.
>
> There are already examples in the kernel tree, e.g. in net/ipv4/netfilter/ipt_REJECT.c, so I modeled my code after these and got it working: The packets appear on the wire and are received by other hosts.
>
> However, the packet is finally sent using ip_local_out, so from a firewall perspective, the packet appears out of thin air and then travels through the OUTPUT chain and out to the network device. What I want instead, is for the packet to take the same way as an incoming packet, i.e. travel through the PREROUTING chain, gets routed, travels through FORWARD, routed again travels through POSTROUTING and be sent out.
>
> The reason is that my netfilter module acts as a man-in-the-middle in a router, and the self-generated packets should not circumvent the firewall or need a duplicated ruleset in the OUTPUT chain, etc.
>
> I thought, something like netif_receive_skb or netif_rx may do what I want, but those rely on a prepared skb. Can someone point me into the right direction?
> ______________________________________________________
> GRATIS für alle WEB.DE-Nutzer: Die maxdome Movie-FLAT!
> Jetzt freischalten unter http://movieflat.web.de
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html