Packet manipulation in user space, drop/reinject modified packets

Packet manipulation in user space, drop/reinject modified packets

[Hamid Nassiby]

Hello,

I'm working on a project which wants to port a Windows-based network
protocol to Linux. The protocol works as a VPN/Firewall, on packets
copied from Data-Link Layer to user space. In MS Windows
WinpkFilter(C) does copying from kernel space (Data-Link layer)  to
user space and then drops the original packet. In user space, our
protocol does some operation on packet ( e.g. checks  the packet
authority and/or encrypts/decrypts it, ...) and then injects the
packet upward to application layer or downward or simply drops it. The injected
modified packet may not be as the same size of original one.

So our requirements are:

1-Capture each packet which is coming inside or going outside the
computer in Data-link Layer.
2-Create a copy of the packet and drop the original one.
3-Copy of packet must be available in user space to be manipulated by
our protocol.
4-After manipulation in user space, inject encrypted/decrypted version
of the privileged (copy of) packets to the network or upward to the
application layer.

And of course we want to have the minimum changes to be made on our
current protocol.

I tried raw sockets and libnetfilter_queue  , but I didn't find a
suitable solution (specially to let me inject packets upward
to the application layer.)
I need to know if it is possible to do this with libraries/interfaces currently
available in user space or should I write a kernel module to do the
above tasks for us?

It is possible that I be overall in a mistake, so any guidance is pleased,

Thanks in advance,

Hamid.

Re: Packet manipulation in user space, drop/reinject modified packets

[Changli Gao]

On Sat, Apr 10, 2010 at 12:53 AM, Hamid Nassiby <h.nassiby@gmail.com> wrote:
> Hello,
>
> I'm working on a project which wants to port a Windows-based network
> protocol to Linux. The protocol works as a VPN/Firewall, on packets
> copied from Data-Link Layer to user space. In MS Windows
> WinpkFilter(C) does copying from kernel space (Data-Link layer)  to
> user space and then drops the original packet. In user space, our
> protocol does some operation on packet ( e.g. checks  the packet
> authority and/or encrypts/decrypts it, ...) and then injects the
> packet upward to application layer or downward or simply drops it. The injected
> modified packet may not be as the same size of original one.
>
> So our requirements are:
>
> 1-Capture each packet which is coming inside or going outside the
> computer in Data-link Layer.
> 2-Create a copy of the packet and drop the original one.
> 3-Copy of packet must be available in user space to be manipulated by
> our protocol.
> 4-After manipulation in user space, inject encrypted/decrypted version
> of the privileged (copy of) packets to the network or upward to the
> application layer.
>

Refer to: Documentation/networking/tuntap.txt

-- 
Regards，
Changli Gao(xiaosuo@gmail.com)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html