Prerouting hook doesn't "see" all packets

Prerouting hook doesn't "see" all packets

[K-Gen]

Hi there.
I'm trying to see TCP packets passing through a router using a
netfilter module (in order to eventually alter them).

I have a hook on PREROUTING, and it doesn't quite work as expected.
The only packets I see, are the TCP handshake (3 packets). Any packets
in an established connection do not get to my hook.
The TCP connections in question all pass via NAT before reaching my
hook. I've thus given my hook the priority NF_IP_PRI_LAST.
I've tried setting nfcache to NFC_UNKNOWN for every TCP packet, and
this didn't help.

The kernel version on the router is 2.6.8.1, the router itself is
based on a BCM board. I did not try to the same on another machine.

My goal is to be able to see ALL the TCP packets in my hook. I do not
want any caching/optimizations to take place.

I'm obviously doing something wrong, so please tell my why is this happening.

Thanks,
Greg.

Re: Prerouting hook doesn't "see" all packets

[Jan Engelhardt]

On Wednesday 2010-04-07 01:10, K-Gen wrote:

>Hi there.
>I'm trying to see TCP packets passing through a router using a
>netfilter module (in order to eventually alter them).
>
>I have a hook on PREROUTING, and it doesn't quite work as expected.
>The only packets I see, are the TCP handshake (3 packets). Any packets
>in an established connection do not get to my hook.
>The TCP connections in question all pass via NAT before reaching my
>hook. I've thus given my hook the priority NF_IP_PRI_LAST.
>I've tried setting nfcache to NFC_UNKNOWN for every TCP packet, and
>this didn't help.
>
>The kernel version on the router is 2.6.8.1, the router itself is
>based on a BCM board. I did not try to the same on another machine.

The stable series did not exist before 2.6.11, so 2.6.8.1 did not 
exist. Assuming you meant 2.6.8, I'd say it's time to update.

nfcache is long gone.

>I'm obviously doing something wrong, so please tell my why is this happening.

You need to post your code, because we don't have magic orbs (let alone 
that, if such existed, the law would probably prohibit their use for 
obvious reasons of unwanted privacy invasion).

Re: Prerouting hook doesn't "see" all packets

[Pascal Hambourg]

Hello,

Jan Engelhardt a écrit :
> 
> The stable series did not exist before 2.6.11, so 2.6.8.1 did not 
> exist.

It does exist. See
<http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.8.1>
Released the same day as 2.6.8 and contains a single patch, fixing a
severe bug I guess.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Prerouting hook doesn't "see" all packets

[K-Gen]

Thanks for the response.

Was nfcache "long gone" even in 2.6.8.1? If so, what took it's place?

As for the code, there you go :

This is the hook registration (pardon the Object-Oriented C):

RC_t PREROUTING_HOOK_init(PREROUTING_HOOK_t * self)
{
  ...
  ...
  self->netfilter_ops_prerouting.hook = PREROUTING_HOOK_hook;
  self->netfilter_ops_prerouting.pf = PF_INET;
  self->netfilter_ops_prerouting.hooknum = NF_IP_PRE_ROUTING;
  self->netfilter_ops_prerouting.priority = NF_IP_PRI_LAST;
  ...
  ...
  nf_retval = nf_register_hook(&(self->netfilter_ops_prerouting));
  ...
  ...
}

This is the hook function:

unsigned int PREROUTING_HOOK_hook(unsigned int hooknum,
				  struct sk_buff ** skb,
				  const struct net_device * in,
				  const struct net_device * out,
				  int (* okfn)(struct sk_buff *))
{
  unsigned int verdict = NF_ACCEPT;
  unsigned char * tcp_start = NULL;

  if (NULL == (*skb)) {
    goto done;
  }

  /* No IP header? */
  if (NULL == (*skb)->nh.iph) {
    goto done;
  }

  if (0x06 != (*skb)->nh.iph->protocol) {
    goto done;
  }

  tcp_start = ((unsigned char *)((*skb)->nh.iph)) + ((*skb)->nh.iph->ihl * 4);

  (*skb)->nfcache |= NFC_UNKNOWN;

  printk(KERN_INFO "Pkt: %08X -> %08X proto: %d len: %d\n",
	 (*skb)->nh.iph->saddr,
	 (*skb)->nh.iph->daddr,
	 (*skb)->nh.iph->protocol,
	 (*skb)->nh.iph->tot_len);

  printk(KERN_INFO "   Tcp: %d -> %d. Traffic: %ld\n",
	 *((unsigned short *)tcp_start),
	 *((unsigned short *)tcp_start+1),
	 traffic);

 done:
  return verdict;
}

I cut out some irrelevant code, as you can see. Most of the hook
function is intact.

What I'm trying to do here, is to print some data about the TCP
packets that pass through the hook.
As I've said, I don't see all the packets. The only ones printed out
are stuff like TCP handshake packets, and maybe some others (but very
far from all of them).

The code is pretty straight forward. The line "  (*skb)->nfcache |=
NFC_UNKNOWN;" doesn't really do anything for me. I've tried this with
or without it.

Can you see what the problem may be? Should I try this under a newer
kernel version, in a VM, perhaps?

On Wed, Apr 7, 2010 at 1:28 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Wednesday 2010-04-07 01:10, K-Gen wrote:
>
>>Hi there.
>>I'm trying to see TCP packets passing through a router using a
>>netfilter module (in order to eventually alter them).
>>
>>I have a hook on PREROUTING, and it doesn't quite work as expected.
>>The only packets I see, are the TCP handshake (3 packets). Any packets
>>in an established connection do not get to my hook.
>>The TCP connections in question all pass via NAT before reaching my
>>hook. I've thus given my hook the priority NF_IP_PRI_LAST.
>>I've tried setting nfcache to NFC_UNKNOWN for every TCP packet, and
>>this didn't help.
>>
>>The kernel version on the router is 2.6.8.1, the router itself is
>>based on a BCM board. I did not try to the same on another machine.
>
> The stable series did not exist before 2.6.11, so 2.6.8.1 did not
> exist. Assuming you meant 2.6.8, I'd say it's time to update.
>
> nfcache is long gone.
>
>>I'm obviously doing something wrong, so please tell my why is this happening.
>
> You need to post your code, because we don't have magic orbs (let alone
> that, if such existed, the law would probably prohibit their use for
> obvious reasons of unwanted privacy invasion).
>

Re: Prerouting hook doesn't "see" all packets

[Jan Engelhardt]

On Wednesday 2010-04-07 22:02, K-Gen wrote:

>Thanks for the response.
>
>Was nfcache "long gone" even in 2.6.8.1? If so, what took it's place?

Dunno about 2.6.8. You're really better off using something that's
maintained.
Nothing took its place AFAICS.

>As for the code, there you go :
>
>This is the hook registration (pardon the Object-Oriented C):

Well the kernel is in C, so using another language is next to gambling.

>RC_t PREROUTING_HOOK_init(PREROUTING_HOOK_t * self)
>{
>  ...
>  ...
>  self->netfilter_ops_prerouting.hook = PREROUTING_HOOK_hook;
>  self->netfilter_ops_prerouting.pf = PF_INET;
>  self->netfilter_ops_prerouting.hooknum = NF_IP_PRE_ROUTING;
>  self->netfilter_ops_prerouting.priority = NF_IP_PRI_LAST;
>  ...
>  ...

It's simpler to just use a
static struct nf_hook_ops myops = {
	.hook = NF_INET_PRE_ROUTING
	.pf = NFPROTO_IPV4, /* not PF_INET */
	.hooknum = ...
	etc.
};

>  nf_retval = nf_register_hook(&(self->netfilter_ops_prerouting));
>  ...
>  ...
>}
>
>This is the hook function:
>
>unsigned int PREROUTING_HOOK_hook(unsigned int hooknum,
>				  struct sk_buff ** skb,
>				  const struct net_device * in,
>				  const struct net_device * out,
>				  int (* okfn)(struct sk_buff *))
>{
>  unsigned int verdict = NF_ACCEPT;
>  unsigned char * tcp_start = NULL;
>
>  if (NULL == (*skb)) {
>    goto done;
>  }
>
>  /* No IP header? */
>  if (NULL == (*skb)->nh.iph) {
>    goto done;
>  }
>
>  if (0x06 != (*skb)->nh.iph->protocol) {
>    goto done;
>  }
>
>  tcp_start = ((unsigned char *)((*skb)->nh.iph)) + ((*skb)->nh.iph->ihl * 4);

The TCP header may be fragmented; you need to use skb_header_pointer.