From: Oumer Teyeb <oumer@kom.auc.dk>
To: netfilter@lists.netfilter.org
Subject: Re: about ipq_set_verdict()
Date: Tue, 20 Apr 2004 16:44:52 +0200 [thread overview]
Message-ID: <40853764.2090504@kom.auc.dk> (raw)
In-Reply-To: 036e01c4227f$1611e900$68892090@grouse
In the man pages it says that if you get a negative value then it is a
failure , otherwise it is a sucess.
The reason that you may get the packets dropped may be because you
modified them in such a way that they are not valid anymore (you change
thing to an invalid ip address or something like that)
On how to get the packet info
Once you get the packet = ipq_get_packet(buffer)
you can access the packet data (including header and payload) from
memory location packet +1,
for example
you can use something like
usigned char *packet_all = (unsigned char *) (packet+1);
then for example to access the ip_header length, which is located from
bits 4-7 in the ip header you can use something like
ip_header_len = (*packet_all & 0xF) * 4; // the 4 is since the header
length is specified as a multiple of 32bits,ie 4 bytes
or you can get the total length, which is the third and fourth bytes of
the header as
total_len = htons(*(unsigned short *) (packet_all + 2)))
and so on,
and based on the value of this ip header length and the data offset in
the tcp header,
(to find the data offset in the tcp header you can use something like
tcp_header_len = ((*(packet_all + ip_header_len + 12 ) & 0xF0) >> 4 )*
4; // the 12 is because we have 2 bytes for source port + 2 bytes for
destination port, 4 bytes for sequence number and 4 bytes for ack number
in the tcp header before we reach the data offset
so the data payload is from unsinged char *start = (packet_all +
ip_header_len+ tcp_header_len) till unsinged char *end = start + total_len
and I think you can just set the values of the packet, whether header or
payload, once you got a pointer to it
Jee J.Z. wrote:
>Hi all,
>
>I am using the libipq library to do userspace programming on netfilter. I am
>having some problems understanding the return values of the function
>ipq_set_verdict():
>
>When I set verdict (either NF_ACCEPT or NF_DROP) without modifying the
>packet, the return value of ipq_set_verdict is 28 and everything works well;
>however, when I set verdict trying to modify the packet, ipq_set_verdict
>returns 88, and the packet seems always to be dropped even when I set
>NF_ACCEPT.
>
>Does anybody know what these return values mean? Moreover, could anybody
>tell me how I can successfully modify a packet using libipq? Thank you very
>much in advance!!
>
>Regards,
>Jee
>
>
>
next prev parent reply other threads:[~2004-04-20 14:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-15 0:17 about ipq_set_verdict() Jee J.Z.
2004-04-20 14:44 ` Oumer Teyeb [this message]
2004-04-20 15:39 ` Jee J.Z.
2004-04-21 6:56 ` Oumer Teyeb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40853764.2090504@kom.auc.dk \
--to=oumer@kom.auc.dk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox