From: Ben Greear <greearb@candelatech.com>
To: Michael Renzmann <mrenzmann@web.de>
Cc: netdev@oss.sgi.com
Subject: Re: Deleting incoming network packets / sk_buff
Date: Sat, 14 Aug 2004 15:15:00 -0700 [thread overview]
Message-ID: <411E8EE4.70900@candelatech.com> (raw)
In-Reply-To: <411E642C.9010708@web.de>
Michael Renzmann wrote:
> Hi all.
>
> I'm just making my first steps in kernel programming, and I have a few
> questions.
>
> It's necessary for me to "delete" network packets that come in on a
> ethernet device after passing them to an userspace program (through a
> packet socket that the program has opened). My first idea was to write a
> kernel module that registers on the NF_IP_PRE_ROUTING netfilter hook and
> does its job. But there are two downsides on this approach:
>
> 1. I need to delete every packet, no matter if it is IP or something
> else. As far as I understood only IP-packets will pass the netfilter
> hooks, since the netfilter framework only works with IP traffic.
>
> 2. The solution also has to work for 2.2.x kernels, as long as there is
> any way to achieve this functionality for these kernel series and 2.4.x
> as well.
>
> I continued to dig some documentation, and found a possible solution in
> a rather old phrack article [1]: "What we do is code our own kernel
> module that registers our packet_type{} data structure to handle all
> incoming packets (sk_buff's) right after they come out of the device
> driver." While the authors use this technique to implement some
> "protocol obfuscation" or an in-kernel packet sniffer, it seems to be a
> good way to reach what I want to do.
>
> Now, what I'm wondering about is the way to "correctly" remove an
> sk_buff so that the upper layer won't see the corresponding packet. I
> somewhere read that the code for packet sockets have to clone the
> sk_buff before passing it to the socket, else it would be "lost" and
> could not be seen by following handlers.
There is no way that I am aware of to block packets from high-level protocols,
but you can disable the higher protocols (ie, set IP to 0.0.0.0).
You can also hack net/core/dev.c to stop the packets from going
up the stack, but it requires more than just a new kernel module,
you'd have to actually change dev.c. (Search for BRIDGE).
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
next prev parent reply other threads:[~2004-08-14 22:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-14 19:12 Deleting incoming network packets / sk_buff Michael Renzmann
2004-08-14 22:15 ` Ben Greear [this message]
2004-08-15 18:05 ` Michael Renzmann
2004-08-15 18:18 ` Ben Greear
2004-08-15 18:57 ` Michael Renzmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=411E8EE4.70900@candelatech.com \
--to=greearb@candelatech.com \
--cc=mrenzmann@web.de \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).