Is it possible to access ip fragments with libnetfilter_queue?

Is it possible to access ip fragments with libnetfilter_queue?

[Michael Fomichev]

Hello,

I am using libnetfilter_queue in C to capture packets. I am setting an
iptable rule to queue the incoming packets that would later be
processed by the userspace implementation like this: iptables -A INPUT
-j NFQUEUE --queue-num 0. I used nfqnl_test.c example as a framework
to implement the capture. Everything works as expected. However, I
noticed that it is impossible to inspect the queue on the level of ip
fragments. That is, if a packet is coming in fragments it is first
reassembled before being put into the queue. But I would like to work
with fragments. So is there a way to enforce that kind of behavior?
What I want to have is a queue where I could observe raw incoming
packets (both fragmented and unfragmented) so I would be able to act
on them accordingly.

I read that the reassembly indeed happens before. On the other hand,
with iptables there is -f flag available so there should be a
"fragmentation granularity" which I am looking for. I also tried
adjusting iptable rules (e.g. iptables -t raw -D PREROUTING -i eth0 -j
NFQUEUE --queue-num 0), but the result is still the same. I can only
observe already reassembled packet which I definitely know that
arrives in fragments.

Any help is really appreciated

Best regards,

Michael

Re: Is it possible to access ip fragments with libnetfilter_queue?

[Adel Belhouane]

Le 28/04/2015 09:39, Michael Fomichev a écrit :
> Hello,
>
> I am using libnetfilter_queue in C to capture packets. I am setting an
> iptable rule to queue the incoming packets that would later be
> processed by the userspace implementation like this: iptables -A INPUT
> -j NFQUEUE --queue-num 0. I used nfqnl_test.c example as a framework
> to implement the capture. Everything works as expected. However, I
> noticed that it is impossible to inspect the queue on the level of ip
> fragments. That is, if a packet is coming in fragments it is first
> reassembled before being put into the queue. But I would like to work
> with fragments. So is there a way to enforce that kind of behavior?
> What I want to have is a queue where I could observe raw incoming
> packets (both fragmented and unfragmented) so I would be able to act
> on them accordingly.

[...]

 > "fragmentation granularity" which I am looking for. I also tried
 > adjusting iptable rules (e.g. iptables -t raw -D PREROUTING -i eth0 -j
 > NFQUEUE --queue-num 0), but the result is still the same. I can only

Defragmentation has the lowest priority in include/uapi/linux/netfilter_ipv4.h:
NF_IP_PRI_CONNTRACK_DEFRAG = -400
This is even before the RAW priority (-300), so iptables can't work before 
defragmentation, unless of course nf_defrag_ipv4 isn't loaded, that is you 
don't use connection tracking at all, which I'd doubt.

Try with nft/nftables, because you can choose the hook priority with nft. The 
nft rules shouldn't interfere with iptables rules, both can be loaded and be 
working together. I chose priority -450 because -450 < -400 , so it will run 
before nf_defrag_ipv4 and I called it predefrag.

# nft -i
nft> add table filter
nft> add chain filter predefrag { type filter hook prerouting priority -450; }
nft> add filter predefrag meta iif eth0 counter queue num 0 bypass

When I run nfqnl_test, if I switch from ping -s 1472 to ping -s 1473 (ethernet 
size from 1500 to 1501) from an other box, I go from 1 packet with 
payload_len=1500 to two packets (payload_len 1500 and 21).
With priority -300 I get only one packet with payload_len 1501. Appears to be 
working!

Normally (in all the examples...) the priority should be -300. I don't know if 
there's any side effect when using -450.

Relevant documentation:
http://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
http://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace

>
> Any help is really appreciated
>
> Best regards,
>
> Michael

Best regards,
Adel