How to re-send out the packets captured by my hook function at NF_IP_PRE_ROUTING

How to re-send out the packets captured by my hook function at NF_IP_PRE_ROUTING

[Real Oneone]

Hi, I plugged a callback function into netfilter at the hook point of
NF_IP_PRE_ROUTING, tring to capture all the packets, make
some changes to some of them, and invoke skb->dev->hard_start_xmit to
send them out directly. However, the kernel crashed before I could get
any printked information.

If you have any idea of how to send the received packets out, please tell me.

Thank you in advance.

Best regards,
Gu, Xinxing

Re: How to re-send out the packets captured by my hook function at NF_IP_PRE_ROUTING

[David G.]

Real Oneone wrote:
> Hi, I plugged a callback function into netfilter at the hook point of
> NF_IP_PRE_ROUTING, tring to capture all the packets, make
> some changes to some of them, and invoke skb->dev->hard_start_xmit to
> send them out directly. However, the kernel crashed before I could get
> any printked information.
> 
> If you have any idea of how to send the received packets out, please tell me.

You might want to explore the possibilities of the existing "ip_queue"
kernel extension instead, it was design to do packet
capture/inspection/changing in userspace.

FireFlier works that way ( http://fireflier.sourceforge.net/ ) and so
does inlined snort (http://www.snort.org/docs/snort_manual/node7.html).

You can take a look at:
http://www.linuxia.de/netfilter.en.html#userspace and
http://www.cs.princeton.edu/~nakao/libipq.htm for an example application.

Re: How to re-send out the packets captured by my hook function at NF_IP_PRE_ROUTING

[Real Oneone]

Many thanks, David!

I've read what you mentioned and since I've done most of the work in
kernelspace, I wonder if there is any way to send out the modified
packet directly, when of course the mac address is not filled?

Thanks again!

2006/4/26, David G. <kiddion@zonnet.nl>:
> Real Oneone wrote:
> > Hi, I plugged a callback function into netfilter at the hook point of
> > NF_IP_PRE_ROUTING, tring to capture all the packets, make
> > some changes to some of them, and invoke skb->dev->hard_start_xmit to
> > send them out directly. However, the kernel crashed before I could get
> > any printked information.
> >
> > If you have any idea of how to send the received packets out, please tell me.
>
> You might want to explore the possibilities of the existing "ip_queue"
> kernel extension instead, it was design to do packet
> capture/inspection/changing in userspace.
>
> FireFlier works that way ( http://fireflier.sourceforge.net/ ) and so
> does inlined snort (http://www.snort.org/docs/snort_manual/node7.html).
>
> You can take a look at:
> http://www.linuxia.de/netfilter.en.html#userspace and
> http://www.cs.princeton.edu/~nakao/libipq.htm for an example application.
>

Re: How to re-send out the packets captured by my hook function at NF_IP_PRE_ROUTING

[Real Oneone]

Thanks for your reply, Srinivas!

But maybe I failed to describe the problem that I am facing. It's ture
as you said that I have a module, which registers  a function to a
netfilter hook. Whenever there is an incoming packet, the function
could catch it and make some changes to it : wrap it in a new iphdr,
change the src and dst ip, etc. This is what I've done.

Now a problem comes that, how do I send it out directly? -- By
'directly', I mean to do it just in the kernel space, not first
passing it to a userspace application(thru NF_QUEUE like you said, or
netlink socket, anyway) and then let the application send it out.

The difficulty is that, since I changed the src and dst ip, the mac
address information is totally unavailable. That may be able to
explain the reason why I used skb->dev->hard_start_xmit(...) and then
the kernel crashed.

Is there any way to achieve my goal? Or that is mission impossible?

Wish I've explained clearly enough.

Many thanks for your help indeed!

Best regards,
Gu, Xinxing



2006/4/27, Srinivas G. <srinivasg@esntechnologies.co.in>:
>
> > I've read what you mentioned and since I've done most of the work in
> > kernelspace, I wonder if there is any way to send out the modified
> > packet directly, when of course the mac address is not filled?
>
> I am trying to understand your current situation. So you have a kernel
> module that is subscribed to a certain netfilter hook and as a result
> starts
> receiving packets; and now you want to pass these packets from your
> kernel
> module to a userspace application? Is this correct?
>
> If this is your current situation, you should issue a NF_QUEUE verdict
> for
> arriving packets in your kernel module to queue the packets to
> userspace.
> Subsequently, you will need to create a user space application to
> receive the queued packets and run it. You can use libipq to write a
> userspace
> application that will accept queued packets. See the man page of libipq
> for
> more information on how to do this (the man page contains a fully
> working
> example).
>
> Regards,
> Srinivas G
>
>