queuing pkts using nf_queue_handler in bridge (PF_BRIDGE) mode not working in 2.6 kernel

queuing pkts using nf_queue_handler in bridge (PF_BRIDGE) mode not working in 2.6 kernel

[Ratnaraj Mirgal]

Hi,

i'm trying a simple lkm tht register a hook in PF_BRIDGE protocol,
also registers a queue_handler for the same.
the hook function simply returns NF_QUEUE for all IP pakcets.

i'm trying this out in 2.6.18-8.el5 (centos 5.0)

it seems like pkts are queuing up, but the _problem_ is queue_handler
is not getting invoked.
plz refer to the code below.

(NOTE: the same program worked fine in my rh9 (ie 2.4 kernel), of
course with minor nf API modification)

-------------------------------------------------
#include <linux/module.h>
#include <linux/kernel.h>

#include <linux/skbuff.h>
#include <linux/if_ether.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/list.h>
#include <linux/netfilter.h>
#include <linux/netfilter_bridge.h>
#include <linux/netfilter_ipv4.h>
#include <linux/spinlock.h>

static unsigned int ebq_hook(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
if(ntohs(ETH_P_IP) != eth_hdr(*pskb)->h_proto)
{
printk(KERN_WARNING "caught non-IP packet\n");
return NF_ACCEPT;
}
//printk(KERN_INFO "src_ip: %d.%d.%d.%d dst_ip: %d.%d.%d.%d\n",
//NIPQUAD((*pskb)->nh.iph->saddr),
//NIPQUAD((*pskb)->nh.iph->daddr));
return NF_QUEUE;
}

static struct nf_hook_ops ebq_ops =
{
.hook = ebq_hook,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.hooknum = NF_BR_FORWARD,
.priority = NF_BR_PRI_FIRST
};

static int ebq_enqueue(struct sk_buff *skb, struct nf_info *info,
unsigned int queuenum, void *data) //start queueing.....
{
int status = -EINVAL;

printk(KERN_INFO "ebq_enqueue: inside ebq_enqueue\n");
printk(KERN_INFO "src_ip: %d.%d.%d.%d dst_ip: %d.%d.%d.%d\n",
NIPQUAD(skb->nh.iph->saddr), NIPQUAD(skb->nh.iph->daddr));

nf_reinject(skb, info, NF_ACCEPT); // :-)
status = 0;

return status; //arey... return zero directly na...
}

static struct nf_queue_handler ebq_handler =
{
.name = "testicles",
.data = NULL,
.outfn = ebq_enqueue,
};

int enter_da_dragon(void) //module loading....
{
int status = -ENOMEM;

printk(KERN_INFO "eb_queue: registering hook handler\n");

status = nf_register_hook(&ebq_ops);
if(status < 0)
{
printk(KERN_ERR "eb_queue: failed to register hook\n");
return -EINVAL;
}

printk(KERN_INFO "eb_queue: registering queue handler\n");
status = nf_register_queue_handler(PF_BRIDGE, &ebq_handler);
if(status < 0)
{
printk(KERN_ERR "eb_queue: failed 2 reg queue handler\n");
goto err_queue;
}

return status;

err_queue:
nf_unregister_hook(&ebq_ops);

return status;
}

void exit_da_dragon(void) //module exitin....
{
printk(KERN_INFO "eb_queue: unregistering queue handler\n");
nf_unregister_queue_handler(PF_BRIDGE);
printk(KERN_INFO "eb_queue: unregistering hook handler\n");
nf_unregister_hook(&ebq_ops);
}

module_init(enter_da_dragon);
module_exit(exit_da_dragon);

MODULE_DESCRIPTION("bridge mode hook!!!");
MODULE_LICENSE("GPL");
-----------------------------------------------------

i tried to search the solution for this in kernel/net/bridge
directory, but didn't find it (or wasn't able to locate it)

is there any other way to do this??

TIA,
Ratnaraj

Re: queuing pkts using nf_queue_handler in bridge (PF_BRIDGE) mode not working in 2.6 kernel

[Patrick McHardy]

Ratnaraj Mirgal wrote:
> Hi,
> 
> i'm trying a simple lkm tht register a hook in PF_BRIDGE protocol,
> also registers a queue_handler for the same.
> the hook function simply returns NF_QUEUE for all IP pakcets.
> 
> i'm trying this out in 2.6.18-8.el5 (centos 5.0)
> 
> it seems like pkts are queuing up, but the _problem_ is queue_handler
> is not getting invoked.
> plz refer to the code below.
> 
> (NOTE: the same program worked fine in my rh9 (ie 2.4 kernel), of
> course with minor nf API modification)

The bridge netfilter code doesn't register an afinfo with the
netfilter core, so queueing drops the packets. Its actually
not needed since bridge netfilter doesn't need to reroute anyways.
So you basically need to change the __nf_queue function to only
invoke the af-specific functions if an afinfo is available.

Patches welcome btw :)

Re: queuing pkts using nf_queue_handler in bridge (PF_BRIDGE) mode not working in 2.6 kernel

[Ratnaraj Mirgal]

thanx for reply :-)

i just found tht.... (i put printks in nf_queue of
net/netfilter/nf_queue.c)... n i referred to afinfo of ipv4...

thanx again

On Wed, Feb 18, 2009 at 3:56 PM, Patrick McHardy <kaber@trash.net> wrote:
> Ratnaraj Mirgal wrote:
>>
>> Hi,
>>
>> i'm trying a simple lkm tht register a hook in PF_BRIDGE protocol,
>> also registers a queue_handler for the same.
>> the hook function simply returns NF_QUEUE for all IP pakcets.
>>
>> i'm trying this out in 2.6.18-8.el5 (centos 5.0)
>>
>> it seems like pkts are queuing up, but the _problem_ is queue_handler
>> is not getting invoked.
>> plz refer to the code below.
>>
>> (NOTE: the same program worked fine in my rh9 (ie 2.4 kernel), of
>> course with minor nf API modification)
>
> The bridge netfilter code doesn't register an afinfo with the
> netfilter core, so queueing drops the packets. Its actually
> not needed since bridge netfilter doesn't need to reroute anyways.
> So you basically need to change the __nf_queue function to only
> invoke the af-specific functions if an afinfo is available.
>
> Patches welcome btw :)
>
>
>