Netfilter Packet Reinjection

Netfilter Packet Reinjection

[Fr3DBr]

Hello,

I'm writting a module to deal with certain packets, and i wanted to
DROP then initially, store it, and at an later moment, reinject it
before the routing decision.

What would be the method i could call, to place the packet again in
the stack at this point ?!

Thanks,

Fred

RE: Netfilter Packet Reinjection

[Jeff Haran]

> -----Original Message-----
> From: netfilter-devel-owner@vger.kernel.org [mailto:netfilter-devel-
> owner@vger.kernel.org] On Behalf Of Fr3DBr
> Sent: Friday, March 23, 2012 2:59 PM
> To: netfilter-devel@vger.kernel.org
> Subject: Netfilter Packet Reinjection
> 
> Hello,
> 
> I'm writting a module to deal with certain packets, and i wanted to
> DROP then initially, store it, and at an later moment, reinject it
> before the routing decision.
> 
> What would be the method i could call, to place the packet again in
> the stack at this point ?!
> 
> Thanks,
> 
> Fred

You probably want to take a look at nf_reinject() in net/netfilter/nf_queue.c.

Jeff Haran

Re: Netfilter Packet Reinjection

[Fr3DBr]

I did, but i didn't wanted to implement a queue, but just do what i
said directly !

Em 23 de março de 2012 19:11, Jeff Haran <jharan@bytemobile.com> escreveu:
>> -----Original Message-----
>> From: netfilter-devel-owner@vger.kernel.org [mailto:netfilter-devel-
>> owner@vger.kernel.org] On Behalf Of Fr3DBr
>> Sent: Friday, March 23, 2012 2:59 PM
>> To: netfilter-devel@vger.kernel.org
>> Subject: Netfilter Packet Reinjection
>>
>> Hello,
>>
>> I'm writting a module to deal with certain packets, and i wanted to
>> DROP then initially, store it, and at an later moment, reinject it
>> before the routing decision.
>>
>> What would be the method i could call, to place the packet again in
>> the stack at this point ?!
>>
>> Thanks,
>>
>> Fred
>
> You probably want to take a look at nf_reinject() in net/netfilter/nf_queue.c.
>
> Jeff Haran
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: Netfilter Packet Reinjection

[Jeff Haran]

> -----Original Message-----
> Em 23 de março de 2012 19:11, Jeff Haran <jharan@bytemobile.com>
> escreveu:
> >> -----Original Message-----
> >> From: netfilter-devel-owner@vger.kernel.org [mailto:netfilter-devel-
> >> owner@vger.kernel.org] On Behalf Of Fr3DBr
> >> Sent: Friday, March 23, 2012 2:59 PM
> >> To: netfilter-devel@vger.kernel.org
> >> Subject: Netfilter Packet Reinjection
> >>
> >> Hello,
> >>
> >> I'm writting a module to deal with certain packets, and i wanted to
> >> DROP then initially, store it, and at an later moment, reinject it
> >> before the routing decision.
> >>
> >> What would be the method i could call, to place the packet again in
> >> the stack at this point ?!
> >>
> >> Thanks,
> >>
> >> Fred
> >
> > You probably want to take a look at nf_reinject() in
> net/netfilter/nf_queue.c.
> >
> > Jeff Haran
> From: Fr3DBr [mailto:fr3dbr@gmail.com]
> Sent: Friday, March 23, 2012 3:12 PM
> To: Jeff Haran
> Cc: netfilter-devel@vger.kernel.org
> Subject: Re: Netfilter Packet Reinjection
> I did, but i didn't wanted to implement a queue, but just do what i
> said directly !
>

Fixing the top post.

I assume by "I didn't wanted to implement a queue", you meant you didn't want to use an NF_QUEUE to put the packets to user space.

Fine. Nobody said you had to use a user space queue. But if you want to hang onto packets for later re-injection, calling nf_reinject() is one way to do it.




--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Packet Reinjection

[Fr3DBr]

Ok i get you.

Could you tell me how one must instantiate the nf queue entry in order
to use the nf_reinject method ?

Em 23 de março de 2012 19:20, Jeff Haran <jharan@bytemobile.com> escreveu:
>> -----Original Message-----
>> Em 23 de março de 2012 19:11, Jeff Haran <jharan@bytemobile.com>
>> escreveu:
>> >> -----Original Message-----
>> >> From: netfilter-devel-owner@vger.kernel.org [mailto:netfilter-devel-
>> >> owner@vger.kernel.org] On Behalf Of Fr3DBr
>> >> Sent: Friday, March 23, 2012 2:59 PM
>> >> To: netfilter-devel@vger.kernel.org
>> >> Subject: Netfilter Packet Reinjection
>> >>
>> >> Hello,
>> >>
>> >> I'm writting a module to deal with certain packets, and i wanted to
>> >> DROP then initially, store it, and at an later moment, reinject it
>> >> before the routing decision.
>> >>
>> >> What would be the method i could call, to place the packet again in
>> >> the stack at this point ?!
>> >>
>> >> Thanks,
>> >>
>> >> Fred
>> >
>> > You probably want to take a look at nf_reinject() in
>> net/netfilter/nf_queue.c.
>> >
>> > Jeff Haran
>> From: Fr3DBr [mailto:fr3dbr@gmail.com]
>> Sent: Friday, March 23, 2012 3:12 PM
>> To: Jeff Haran
>> Cc: netfilter-devel@vger.kernel.org
>> Subject: Re: Netfilter Packet Reinjection
>> I did, but i didn't wanted to implement a queue, but just do what i
>> said directly !
>>
>
> Fixing the top post.
>
> I assume by "I didn't wanted to implement a queue", you meant you didn't want to use an NF_QUEUE to put the packets to user space.
>
> Fine. Nobody said you had to use a user space queue. But if you want to hang onto packets for later re-injection, calling nf_reinject() is one way to do it.
>
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Packet Reinjection

[Jan Engelhardt]

On Friday 2012-03-23 23:22, Fr3DBr wrote:

>Ok i get you.
>
>Could you tell me how one must instantiate the nf queue entry in order
>to use the nf_reinject method ?

You do not strictly need an nfqueue entry. Just calling one of the 
NF_HOOK macros is sufficient.

Re: Netfilter Packet Reinjection

[Fr3DBr]

Well, i have a hook to capure the packets right now... but after
storing then in other place, after some 'tests' i perform around then
i have to 're-create' part of the packet flow (like a proxy) and then
let the real packets from the source, flow locally or remotelly
through forwarding to its destinations.

But i didn't understood well what i would do with NF_HOOK, by using a
NfHook i can also call methods inside netfilter core to perform such
tasks as 'reinjecting' a packet ?


(Disconsider last e-mail, it wasn't visible to the list)

Em 23 de março de 2012 19:55, Jan Engelhardt <jengelh@medozas.de> escreveu:
> On Friday 2012-03-23 23:22, Fr3DBr wrote:
>
>>Ok i get you.
>>
>>Could you tell me how one must instantiate the nf queue entry in order
>>to use the nf_reinject method ?
>
> You do not strictly need an nfqueue entry. Just calling one of the
> NF_HOOK macros is sufficient.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Packet Reinjection

[Jan Engelhardt]

On Saturday 2012-03-24 00:04, Fr3DBr wrote:

>Well, i have a hook to capure the packets right now... but after
>storing then in other place, after some 'tests' i perform around then
>i have to 're-create' part of the packet flow (like a proxy) and then
>let the real packets from the source, flow locally or remotelly
>through forwarding to its destinations.
>
>But i didn't understood well what i would do with NF_HOOK

If you do read the function body of nf_reinject, you will see that it 
too will only call nf_iterate (which is the same that NF_HOOK eventually 
gets to do).

Re: Netfilter Packet Reinjection

[Fr3DBr]

Yeah i was looking this, so i'll try through the NFHook and see what happens...

As long i call it with the properly 'event' identifier, everything
should works i guess.

Em 23 de março de 2012 20:06, Jan Engelhardt <jengelh@medozas.de> escreveu:
> On Saturday 2012-03-24 00:04, Fr3DBr wrote:
>
>>Well, i have a hook to capure the packets right now... but after
>>storing then in other place, after some 'tests' i perform around then
>>i have to 're-create' part of the packet flow (like a proxy) and then
>>let the real packets from the source, flow locally or remotelly
>>through forwarding to its destinations.
>>
>>But i didn't understood well what i would do with NF_HOOK
>
> If you do read the function body of nf_reinject, you will see that it
> too will only call nf_iterate (which is the same that NF_HOOK eventually
> gets to do).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Packet Reinjection

[Fr3DBr]

Hey,

i've been trying this, but it seens as soon i call NF_HOOK, the whole
thing freezes, like if it entered in a infinite loop, i tried adding
some sanity check to avoid 'recursive' looping and it seemed to avoid
this scenario, but now it just freezes and only resetting the OS put
it back to work (since it wont load the module)...

Any ideas ?!

Em 23 de março de 2012 20:09, Fr3DBr <fr3dbr@gmail.com> escreveu:
> Yeah i was looking this, so i'll try through the NFHook and see what happens...
>
> As long i call it with the properly 'event' identifier, everything
> should works i guess.
>
> Em 23 de março de 2012 20:06, Jan Engelhardt <jengelh@medozas.de> escreveu:
>> On Saturday 2012-03-24 00:04, Fr3DBr wrote:
>>
>>>Well, i have a hook to capure the packets right now... but after
>>>storing then in other place, after some 'tests' i perform around then
>>>i have to 're-create' part of the packet flow (like a proxy) and then
>>>let the real packets from the source, flow locally or remotelly
>>>through forwarding to its destinations.
>>>
>>>But i didn't understood well what i would do with NF_HOOK
>>
>> If you do read the function body of nf_reinject, you will see that it
>> too will only call nf_iterate (which is the same that NF_HOOK eventually
>> gets to do).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Packet Reinjection

[Pablo Neira Ayuso]

On Sat, Mar 24, 2012 at 05:20:01PM -0300, Fr3DBr wrote:
> Hey,
> 
> i've been trying this, but it seens as soon i call NF_HOOK, the whole
> thing freezes, like if it entered in a infinite loop, i tried adding
> some sanity check to avoid 'recursive' looping and it seemed to avoid
> this scenario, but now it just freezes and only resetting the OS put
> it back to work (since it wont load the module)...
> 
> Any ideas ?!

Please, stop top-posting.

Someone already told you this before and you seem to ignore that.

Read Netfilter mailing list rules:
http://www.netfilter.org/mailinglists.html

Moreover, if you want help it would be a good idea if:

a) you post your code somewhere.

b) you reduce the amount of emails for every single issue that you
find while trying to learn how things. People may end up ignoring you
if you become too spamming. Making questions is fine, don't abuse.

Re: Netfilter Packet Reinjection

[Fr3DBr]

> b) you reduce the amount of emails for every single issue that you
> find while trying to learn how things. People may end up ignoring you
> if you become too spamming. Making questions is fine, don't abuse.

Hey , i am not sending 100 e-mails per hour, just one or another :).

And yes i am researching stuff before asking, but this kind of stuff
mainly when you are not too familiar with the designed API is common,
maybe for you its not that uncommon since you are more used than me to
this stuff, but i understand your point.

Btw, the problem was that i wasn't 'dereferencing' the point of skb,
after i did it, it became stable and worked as intended, thanks for
helping guys.

Re: Netfilter Packet Reinjection

[Jan Engelhardt]

On Sunday 2012-03-25 03:24, Fr3DBr wrote:

>> b) you reduce the amount of emails for every single issue that you
>> find while trying to learn how things. People may end up ignoring you
>> if you become too spamming. Making questions is fine, don't abuse.
>
>Btw, the problem was that i wasn't 'dereferencing' the point of skb,
>after i did it, it became stable and worked as intended, thanks for
>helping guys.

Since C does have type checking, that would mean you ignored a warning 
somewhere. Also note that since NF_HOOK does take struct sk_buff *, one 
might wonder just what you are doing with a raw struct sk_buff 
aggregate..

Re: Netfilter Packet Reinjection

[Fr3DBr]

> Since C does have type checking, that would mean you ignored a warning
> somewhere. Also note that since NF_HOOK does take struct sk_buff *, one
> might wonder just what you are doing with a raw struct sk_buff
> aggregate..

Yes this is correct, after fixing this it started working properly.

I am having fun with raw streams here =P.