Packet manipulation in user space

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Packet manipulation in user space
       [not found] <h2hb3f13ff81004081148n221e9728mb5a14944cf4ffd06@mail.gmail.com>
@ 2010-04-08 18:54 ` Hamid Nassiby
  2010-04-08 20:52   ` Julien Vehent
  0 siblings, 1 reply; 4+ messages in thread
From: Hamid Nassiby @ 2010-04-08 18:54 UTC (permalink / raw)
  To: netfilter

Hello,

I'm working on a project which wants to port a Windows-based network
protocol to Linux. The protocol works as a VPN/Firewall, on packets
copied from Data-Link Layer to user space. In MS Windows
WinpkFilter(C) does copying from kernel space (Data-Link layer)  to
user space and then it drops the original packet. In user space, our
protocol does some operation on packet ( e.g. checks  the packet
authority and/or encrypts/decrypts it, ...) and then injects the
packet upward to application layer or downward or simply drops it.

So our requirements are:

Capture each packet which is coming inside or going outside the
computer in Data-link Layer.
Create a copy of the packet and drop the original one.
Copy of packet must be available in user space to be manipulated by
our protocol.
After manipulation in user space, inject encrypted/decrypted version
of the privileged (copy of) packets to the network or upward to the
application layer.

And of course we want to have the minimum changes to be made on our
current protocol.

I tried raw sockets and netfilter netlink, but I didn't find a
suitable solution  which let me to drop packets or inject them upward
to the application layer. I need to know if it is possible to do this
with libraries/interfaces currently available in user space or should
I write a kernel module that does the above tasks for us?

Any guidance is pleased,
Thanks in advance,

Hamid.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Packet manipulation in user space
  2010-04-08 18:54 ` Packet manipulation in user space Hamid Nassiby
@ 2010-04-08 20:52   ` Julien Vehent
  2010-04-09  6:00     ` Hamid Nassiby
  0 siblings, 1 reply; 4+ messages in thread
From: Julien Vehent @ 2010-04-08 20:52 UTC (permalink / raw)
  To: Hamid Nassiby; +Cc: netfilter

On Thu, 8 Apr 2010 23:24:09 +0430, Hamid Nassiby <h.nassiby@gmail.com>
wrote:
> Capture each packet which is coming inside or going outside the
> computer in Data-link Layer.
> Create a copy of the packet and drop the original one.
> Copy of packet must be available in user space to be manipulated by
> our protocol.
> After manipulation in user space, inject encrypted/decrypted version
> of the privileged (copy of) packets to the network or upward to the
> application layer.
> 

libnetfilter_queue ?

http://www.netfilter.org/projects/libnetfilter_queue/index.html

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Packet manipulation in user space
  2010-04-08 20:52   ` Julien Vehent
@ 2010-04-09  6:00     ` Hamid Nassiby
  2010-04-09  9:02       ` Jan Engelhardt
  0 siblings, 1 reply; 4+ messages in thread
From: Hamid Nassiby @ 2010-04-09  6:00 UTC (permalink / raw)
  To: Julien Vehent; +Cc: netfilter

On Fri, Apr 9, 2010 at 1:22 AM, Julien Vehent <julien@linuxwall.info> wrote:
> On Thu, 8 Apr 2010 23:24:09 +0430, Hamid Nassiby <h.nassiby@gmail.com>
> wrote:
>> Capture each packet which is coming inside or going outside the
>> computer in Data-link Layer.
>> Create a copy of the packet and drop the original one.
>> Copy of packet must be available in user space to be manipulated by
>> our protocol.
>> After manipulation in user space, inject encrypted/decrypted version
>> of the privileged (copy of) packets to the network or upward to the
>> application layer.
>>
>
> libnetfilter_queue ?
>
> http://www.netfilter.org/projects/libnetfilter_queue/index.html
>

Hi,

I could do the first three of above requirements, using
libnetfilter_queue. But I could not find a way to do the last of them
:

>> After manipulation  in user space, inject encrypted/decrypted version
>> of the privileged (copy of) packets to the network or upward to the
>> application layer.

Is there any solution for the above issue?


Thanks in advance,

Hamid.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Packet manipulation in user space
  2010-04-09  6:00     ` Hamid Nassiby
@ 2010-04-09  9:02       ` Jan Engelhardt
  0 siblings, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2010-04-09  9:02 UTC (permalink / raw)
  To: Hamid Nassiby; +Cc: Julien Vehent, netfilter


On Friday 2010-04-09 08:00, Hamid Nassiby wrote:
>On Fri, Apr 9, 2010 at 1:22 AM, Julien Vehent <julien@linuxwall.info> wrote:
>
>I could do the first three of above requirements, using
>libnetfilter_queue. But I could not find a way to do the last of them
>:
>
>>> After manipulation  in user space, inject encrypted/decrypted version
>>> of the privileged (copy of) packets to the network or upward to the
>>> application layer.
>
>Is there any solution for the above issue?

Reinjected packets should travel the normal network path (code-wise),
so you can use xfrm, if I am not mistaken.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2010-04-09  9:02 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <h2hb3f13ff81004081148n221e9728mb5a14944cf4ffd06@mail.gmail.com>
2010-04-08 18:54 ` Packet manipulation in user space Hamid Nassiby
2010-04-08 20:52   ` Julien Vehent
2010-04-09  6:00     ` Hamid Nassiby
2010-04-09  9:02       ` Jan Engelhardt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox