Packet Injection within netfilter module

Packet Injection within netfilter module

[Ali Hamidi]

Is there any way to inject a newly created packet based on the
captured packet inside a netfilter hook call back function?
My Goal is to capture a packet change compress its tcp payload and
send it. i read ipcomp.c and i used its source. when i change skb size
(like len) and tail pointer kernel hangs. maybe the way to do, is to
create a new packet based on captured packet and ask kernel to send
it. I just don't know how to ask kernel to send a newly created
packet?

Re: Packet Injection within netfilter module

[Ben Gardiner]

On Tue, Apr 13, 2010 at 4:13 AM, Ali Hamidi <ali.hamidi759@gmail.com> wrote:
> Is there any way to inject a newly created packet based on the
> captured packet inside a netfilter hook call back function?
> My Goal is to capture a packet change compress its tcp payload and
> send it. i read ipcomp.c and i used its source. when i change skb size
> (like len) and tail pointer kernel hangs. maybe the way to do, is to
> create a new packet based on captured packet and ask kernel to send
> it. I just don't know how to ask kernel to send a newly created
> packet?

I'm not sure this will work -- it's just an idea that comes to mind.
Perhaps you could use TUN to inject a newly created packet from a
userspace application?

packet ---> netfilter rule with userspace target ---> userspace
payload compressor ---> /dev/tunX

-- 
Ben Gardiner
Nanometrics Inc.
+1 (613) 592-6776 x239
http://www.nanometrics.ca

Re: Packet Injection within netfilter module

[Morgon J. Kanter]

> Is there any way to inject a newly created packet based on the
> captured packet inside a netfilter hook call back function?
> My Goal is to capture a packet change compress its tcp payload and
> send it. i read ipcomp.c and i used its source. when i change skb size
> (like len) and tail pointer kernel hangs. maybe the way to do, is to
> create a new packet based on captured packet and ask kernel to send
> it. I just don't know how to ask kernel to send a newly created
> packet?

I've been looking to do something similar, and running into my own questions.

First, does your newly created packet completely replace the old, uncompressed 
packet? Because then you should be able to just issue an ACCEPT verdict to the 
packet, but pass along new payload data for said packet as part of issuing the 
verdict.

As I said, I've been looking to do something similar (and in fact just joined 
this list with the hope of getting some answers) -- would you then have to go 
and change, say, the TCP windows? At the very least it seems you'll need to 
mangle the returning ACK numbers to the uncompressed value, so the original 
packet's sender gets the correct acknowledgment. Is there a way to handle this 
automatically in the Linux kernel? It seems like this would be a valuable 
thing to implement as part of queue/conntrack if it's not implemented already 
-- is it?

I ask because I will need to implement exactly this functionality if it's not 
already around. I'm also trying to figure out the best place to put it.

Thanks,
-- Morgon

Re: Packet Injection within netfilter module

[Ali Hamidi]

Dear Justin,
I just want to thank you for you good reply. Your code saved my life
in a school project. It is well-written and I learned many things from
it, because I am a newbie in netfilter kernel modules programming. Any
way Thanks again for your reply. You gave me new hope to continue.

On 4/13/10, Justin Yaple <yaplej@gmail.com> wrote:
> Ali,
>
> Are you sending this copied packet somewhere else?  If your goal is
> just to modify the skb why make a copy before you modify it?  I have
> written a kernel module that can compress/decompresses TCP payloads
> for traffic between any number of hosts if the traffic is routed
> through two systems running my module.  If you want to download the
> source you can get it from
> http://packetsqueezer.portal.codespaces.com.
>
> To send a new skb though you can do this.  It assumes all the required
> fields are already populated correctly.
> NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, skb->dst->dev,
> dst_output); // Sent the packet.
>
>
> On Tue, Apr 13, 2010 at 1:13 AM, Ali Hamidi <ali.hamidi759@gmail.com> wrote:
>> Is there any way to inject a newly created packet based on the
>> captured packet inside a netfilter hook call back function?
>> My Goal is to capture a packet change compress its tcp payload and
>> send it. i read ipcomp.c and i used its source. when i change skb size
>> (like len) and tail pointer kernel hangs. maybe the way to do, is to
>> create a new packet based on captured packet and ask kernel to send
>> it. I just don't know how to ask kernel to send a newly created
>> packet?
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
>> in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>