[NFQUEUE] Help with program that changes DHCP payload

[NFQUEUE] Help with program that changes DHCP payload

[Vincent Arniego]

Hi Everyone,

I'm kinda new here and I would like some help regarding
 netfilter_queue. If this is asked already, forgive me I didn't see it in the archives.

I'm making a program that changes the value of an attribute in the DHCP
 payload.
I'm using nfqueue to intercept the packet, change the content of the
 payload and resend it again to DHCP
which resides in the same server as the firewall. Why am I doing this?
 I'm making a pseudo option 82 using a translated bridge (which the mac
 is unchangeable) but I'm using the hostname attribute instead.

So far, I was able to change the content of the hostname attribute of
 the payload, and I checked the packet again
just to be sure its sending the correct content. I use nfq_set_verdict
 to resend the packet with the modified payload.

But it didn't work.

The next thing is did *just to be sure is just changing the TTL value
 of the IP header, then resending again, but it seems its not working. I
 used ethereal to capture the packets that are coming in after
 modification. And yes I checksummed it.

These are my questions:

1. My firewall rule to intercept the packets is in the PREROUTING
 chain, mangle table.Is this the correct way?
2. The packets that are captured by ethereal, are these the packets
 before modification or after? (just to be sure I'm looking it the right
 way)
3. What can I do to verify if the packets are indeed modified?

If anyone need a snippet of the code, for everyone, I'll just send it
 in a reply email.

Thanks in advanced guys.



      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

Re: [NFQUEUE] Help with program that changes DHCP payload

[Ashok Rao]

Have you looked at the Figures in Oskar Andersson's tutorial on
iptables (available through a link on www.netfilter.org)  - they show
the sequence of tables and chains which are encountered by a packet on
it's way in, out, or when forwarded. IMHO that tutorial is mandatory
reading for anyone trying to work seriously with iptables.

From your email below, I couldn't make out if your program was
accepting packets or sending out packets  - if indeed you are
capturing incoming packets - modifying them and them sending it to the
DHCP process on the same machine - ethereal will never see the
modified packets - unless you are sending them back on the wire again.

Ashok

On Jan 29, 2008 10:58 PM, Vincent Arniego <vincent_arniego@yahoo.com> wrote:
>
>
>
> Hi Everyone,
>
> I'm kinda new here and I would like some help regarding
>  netfilter_queue. If this is asked already, forgive me I didn't see it in the archives.
>
> I'm making a program that changes the value of an attribute in the DHCP
>  payload.
> I'm using nfqueue to intercept the packet, change the content of the
>  payload and resend it again to DHCP
> which resides in the same server as the firewall. Why am I doing this?
>  I'm making a pseudo option 82 using a translated bridge (which the mac
>  is unchangeable) but I'm using the hostname attribute instead.
>
> So far, I was able to change the content of the hostname attribute of
>  the payload, and I checked the packet again
> just to be sure its sending the correct content. I use nfq_set_verdict
>  to resend the packet with the modified payload.
>
> But it didn't work.
>
> The next thing is did *just to be sure is just changing the TTL value
>  of the IP header, then resending again, but it seems its not working. I
>  used ethereal to capture the packets that are coming in after
>  modification. And yes I checksummed it.
>
> These are my questions:
>
> 1. My firewall rule to intercept the packets is in the PREROUTING
>  chain, mangle table.Is this the correct way?
> 2. The packets that are captured by ethereal, are these the packets
>  before modification or after? (just to be sure I'm looking it the right
>  way)
> 3. What can I do to verify if the packets are indeed modified?
>
> If anyone need a snippet of the code, for everyone, I'll just send it
>  in a reply email.
>
> Thanks in advanced guys.
>
>
>
>
>      ____________________________________________________________________________________
> Looking for last minute shopping deals?
> Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Ashok Rao

Great Arbor Communications
8818 Tallyho Trail
Potomac, MD
Tel: 301-547-3483
Cell: 703-989-6494
email: greatarbor@gmail.com
www.greatarbor.com

Re: [NFQUEUE] Help with program that changes DHCP payload

[Martijn Lievaart]

Vincent Arniego wrote:
>
> Hi Everyone,
>
> I'm kinda new here and I would like some help regarding
>  netfilter_queue. If this is asked already, forgive me I didn't see it in the archives.
>
> I'm making a program that changes the value of an attribute in the DHCP
>  payload.
> I'm using nfqueue to intercept the packet, change the content of the
>  payload and resend it again to DHCP
> which resides in the same server as the firewall. Why am I doing this?
>  I'm making a pseudo option 82 using a translated bridge (which the mac
>  is unchangeable) but I'm using the hostname attribute instead.
>   

Stop right there. The ISC DHCP server does very funky stuff to see 
packets addressed to 0.0.0.0. This means those packets do not go through 
netfilter. I bet this is at the root of your problem.

I cannot think of a quick way to change this. Maybe hacking at dhcrelay 
sources is an better option.

HTH,
M4

Re: [NFQUEUE] Help with program that changes DHCP payload

[Vincent Arniego]

Yup checked it out, I got the netfilter flow.

I put a nfqueue program in the prerouting  and in the input, filter table
I was able to see the modified packet.

The DHCP server resides on the same server as the firewall so I manipulate the incoming packets.
I experimented with just changing the TOS after looking at the ipq_client.c program.
And I was able to see the change in the input filter.

I'm going to check the program further.
I'm not sure a relay server is feasible at the current setup. That's why I'm sorting to this pseudo option 82 solution.

----- Original Message ----
From: Ashok Rao <greatarbor@gmail.com>
To: Vincent Arniego <vincent_arniego@yahoo.com>; netfilter@vger.kernel.org
Sent: Wednesday, January 30, 2008 9:28:16 PM
Subject: Re: [NFQUEUE] Help with program that changes DHCP payload


Have 
you 
looked 
at 
the 
Figures 
in 
Oskar 
Andersson's 
tutorial 
on
iptables 
(available 
through 
a 
link 
on 
www.netfilter.org)  
- 
they 
show
the 
sequence 
of 
tables 
and 
chains 
which 
are 
encountered 
by 
a 
packet 
on
it's 
way 
in, 
out, 
or 
when 
forwarded. 
IMHO 
that 
tutorial 
is 
mandatory
reading 
for 
anyone 
trying 
to 
work 
seriously 
with 
iptables.

From 
your 
email 
below, 
I 
couldn't 
make 
out 
if 
your 
program 
was
accepting 
packets 
or 
sending 
out 
packets  
- 
if 
indeed 
you 
are
capturing 
incoming 
packets 
- 
modifying 
them 
and 
them 
sending 
it 
to 
the
DHCP 
process 
on 
the 
same 
machine 
- 
ethereal 
will 
never 
see 
the
modified 
packets 
- 
unless 
you 
are 
sending 
them 
back 
on 
the 
wire 
again.

Ashok

On 
Jan 
29, 
2008 
10:58 
PM, 
Vincent 
Arniego 
<vincent_arniego@yahoo.com> 
wrote:
>
>
>
> 
Hi 
Everyone,
>
> 
I'm 
kinda 
new 
here 
and 
I 
would 
like 
some 
help 
regarding
>  
netfilter_queue. 
If 
this 
is 
asked 
already, 
forgive 
me 
I 
didn't 
see 
it 
in 
the 
archives.
>
> 
I'm 
making 
a 
program 
that 
changes 
the 
value 
of 
an 
attribute 
in 
the 
DHCP
>  
payload.
> 
I'm 
using 
nfqueue 
to 
intercept 
the 
packet, 
change 
the 
content 
of 
the
>  
payload 
and 
resend 
it 
again 
to 
DHCP
> 
which 
resides 
in 
the 
same 
server 
as 
the 
firewall. 
Why 
am 
I 
doing 
this?
>  
I'm 
making 
a 
pseudo 
option 
82 
using 
a 
translated 
bridge 
(which 
the 
mac
>  
is 
unchangeable) 
but 
I'm 
using 
the 
hostname 
attribute 
instead.
>
> 
So 
far, 
I 
was 
able 
to 
change 
the 
content 
of 
the 
hostname 
attribute 
of
>  
the 
payload, 
and 
I 
checked 
the 
packet 
again
> 
just 
to 
be 
sure 
its 
sending 
the 
correct 
content. 
I 
use 
nfq_set_verdict
>  
to 
resend 
the 
packet 
with 
the 
modified 
payload.
>
> 
But 
it 
didn't 
work.
>
> 
The 
next 
thing 
is 
did 
*just 
to 
be 
sure 
is 
just 
changing 
the 
TTL 
value
>  
of 
the 
IP 
header, 
then 
resending 
again, 
but 
it 
seems 
its 
not 
working. 
I
>  
used 
ethereal 
to 
capture 
the 
packets 
that 
are 
coming 
in 
after
>  
modification. 
And 
yes 
I 
checksummed 
it.
>
> 
These 
are 
my 
questions:
>
> 
1. 
My 
firewall 
rule 
to 
intercept 
the 
packets 
is 
in 
the 
PREROUTING
>  
chain, 
mangle 
table.Is 
this 
the 
correct 
way?
> 
2. 
The 
packets 
that 
are 
captured 
by 
ethereal, 
are 
these 
the 
packets
>  
before 
modification 
or 
after? 
(just 
to 
be 
sure 
I'm 
looking 
it 
the 
right
>  
way)
> 
3. 
What 
can 
I 
do 
to 
verify 
if 
the 
packets 
are 
indeed 
modified?
>
> 
If 
anyone 
need 
a 
snippet 
of 
the 
code, 
for 
everyone, 
I'll 
just 
send 
it
>  
in 
a 
reply 
email.
>
> 
Thanks 
in 
advanced 
guys.
>
>
>
>
>  
  
  
____________________________________________________________________________________
> 
Looking 
for 
last 
minute 
shopping 
deals?
> 
Find 
them 
fast 
with 
Yahoo! 
Search.  
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
> 
-
> 
To 
unsubscribe 
from 
this 
list: 
send 
the 
line 
"unsubscribe 
netfilter" 
in
> 
the 
body 
of 
a 
message 
to 
majordomo@vger.kernel.org
> 
More 
majordomo 
info 
at  
http://vger.kernel.org/majordomo-info.html
>



-- 
Ashok 
Rao

Great 
Arbor 
Communications
8818 
Tallyho 
Trail
Potomac, 
MD
Tel: 
301-547-3483
Cell: 
703-989-6494
email: 
greatarbor@gmail.com
www.greatarbor.com





      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

Re: [NFQUEUE] Help with program that changes DHCP payload

[Vincent Arniego]

Stop 
right 
there. 
The 
ISC 
DHCP 
server 
does 
very 
funky 
stuff 
to 
see 
packets 
addressed 
to 
0.0.0.0. 
This 
means 
those 
packets 
do 
not 
go 
through 
netfilter. 
I 
bet 
this 
is 
at 
the 
root 
of 
your 
problem.

-- it actually does, I experimented with just changing the TOS of the UDP packet and somehow
I was successful. Though I have to take note that somehow, DHCP is still able to send a DHCP reply
even if the nfqueue program is running, maybe you're right about that as well.

I 
cannot 
think 
of 
a 
quick 
way 
to 
change 
this. 
Maybe 
hacking 
at 
dhcrelay 
sources 
is 
an 
better 
option.

-- too bad a dhcrelay in between is not feasible at the moment, I am thinking about this actually.
I'll check if I'm able to do this somehow, but I doubt it if its implementable.

Thanks for the help.

HTH,
M4

-
To 
unsubscribe 
from 
this 
list: 
send 
the 
line 
"unsubscribe 
netfilter" 
in
the 
body 
of 
a 
message 
to 
majordomo@vger.kernel.org
More 
majordomo 
info 
at  
http://vger.kernel.org/majordomo-info.html





      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs