From: James King <t.james.king@gmail.com>
To: Justin Yaple <yaplej@gmail.com>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: Recalculate checksums in netfilter queue
Date: Thu, 22 Apr 2010 12:37:22 -0700 [thread overview]
Message-ID: <z2x38bcb3ec1004221237yde677868mfb3f87f11d9bb6f8@mail.gmail.com> (raw)
In-Reply-To: <z2o8363055a1004212015w2216df48s3074cdb2328c66db@mail.gmail.com>
On Wed, Apr 21, 2010 at 8:15 PM, Justin Yaple <yaplej@gmail.com> wrote:
> If I get it figured out I will let you know. Im kind of supprised
> that there isnt a function for this in libnetfilter_queue already. It
> seems like it would be a pretty common requirement to recalculate the
> tcp, and ip checksums. I have spent two days trying to get something
> to work without much luck.
>
> My understanding is that the one complement of each 16-bit word is
> summed, and then the result of that is bitwise complemented.
>
> So for each word we would do something like this.
> for each word{
> sum += ~word;
> }
>
> then you would take the bitwise complement of that total.
> sum = ~sum;
For TCP, it's a bit more complicated, as you need to construct an IP
pseudo header first, calculate the checksum for the pseudo header +
segment containing a zeroed checksum field, and then finally insert
the checksum into the TCP header [1]. You also have to pad the
segment into an even number of octets before doing the calculation,
but not include this padding in the transmitted segment [2]. You may
also need to recalculate the IP checksum, depending on what fields
you're modifying. The process is also slightly different for TCP over
IPv6.
I found a thread on this list from last year that contains some helper
functions extracted from tcpdump that may help you, titled "Re: Fwd:
Modifying TCP packets with libnetfilter_queue" [3].
If this works for you, perhaps a patch to include them in
libnetfilter_queue is in order.
[1] http://www.tcpipguide.com/free/t_TCPChecksumCalculationandtheTCPPseudoHeader-2.htm
[2] http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_checksum_for_IPv4
[3] http://markmail.org/message/auqvblfqenhy4hlz
HTH,
James
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2010-04-22 19:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-21 1:02 Recalculate checksums in netfilter queue Justin Yaple
2010-04-21 2:02 ` Bruno Moreira Guedes
2010-04-22 3:15 ` Justin Yaple
2010-04-22 12:43 ` Morgon.J.Kanter
2010-04-22 20:19 ` Justin Yaple
[not found] ` <z2o3fdd6ce01004221432yec6c907bz4124144d403be1b4@mail.gmail.com>
2010-04-22 22:12 ` Justin Yaple
2010-04-22 19:37 ` James King [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=z2x38bcb3ec1004221237yde677868mfb3f87f11d9bb6f8@mail.gmail.com \
--to=t.james.king@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=yaplej@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).