login
Login / Register
Header Space

 
 

Home » Forums » Linux » Linux kernel

IP layer send packet

June 19, 2008 - 6:34am
Submitted by Anonymous on June 19, 2008 - 6:34am.
Linux

Hi kernel experts,

I’m trying to modify the IP packet src & dest address after receiving from the wire and reconstruct the packet at kernel layer without going to apps layer and ultimately send out the packet. So, the recommended API to be used is ip_finish_output() (as it is the only exported symbol to send UDP packets). However, since the IP header content are changed, the system must automatically recalculate checksum and needs mac address as well, and most of the time mac address of unknown hosts.

Currently, when I try, I need to invoke mac address resolution via arp by manually calling neigh_lookup of existing arp entry before sending the packet by calling dev_queue_xmit().

My questions is how can I change (dest/src IP and port number) at before ip_finish_output() by accessing specific struct should I want to send the packet to unknown hosts (unknown means remote hosts that do not have an arp entry in local host's arp table) by calling ip_finish_output().

Thank you very much for your advice.

‹ ptrace and big kernel lock PID to ELF image full path ›

Ever heard Divert-Socket?

June 20, 2008 - 4:18am
Eus

Maybe divert-sockets can help you.

4. Introduction

Ever wish you could intercept packets traveling up or down the IP stack of your host? And I'm not talking about listening in, like raw sockets or libpcap (tcpdump). I mean literally stop the packet from further propagating through the IP stack and then (possibly after some changes), reinjecting it back? Well, the time to dream is over, because divert sockets for Linux are here!

Divert sockets do exactly that - they filter out certain packets based on firewall specifications and bring them to you in user space. You then have the freedom of simply reinjecting them back as if nothing happened, mangling them first and then reinjecting them, or not reinjecting them at all.

As the name suggests, this mechanism utilizes a special type of RAW socket called divert (IPPROTO_DIVERT) that allow you to receive and send on them just like regular sockets. The difference is that a divert socket is bound to a port, into which the firewall can be instructed to send certain packets. Anything that a firewall can filter out can be sent into a divert socket.

What do you think?

Thanks for your suggestion.

June 23, 2008 - 10:10pm
Anonymous (not verified)

Thanks for your suggestion. But I might not work for me because the control of the socket is not on my side, which means I don't control the opening and closing of socket, and hence I don't reserve the right to open IPPROTO_DIVERT. I just intercept at the IP stack and do my work.

Any other suggestions?

'control of the socket'

June 23, 2008 - 11:06pm
strcmp

your answer seems to imply that the user space programs who's traffic you want to intercept have to set IPPROTO_DIVERT and you have no control over these programs.

but it is the other way round, you write a user space program like the example in the (slightly old, but you can google yourself, i think) howto http://www.faqs.org/docs/Linux-mini/Divert-Sockets-mini-HOWTO.html
that opens a divert socket to get the packets you want to mangle, and reinjects the mangled packets. so you open the divert socket in the interceptor program. you don't have to write a single line of kernel code. but if you are allowed to even run your own kernel code on the machine you should also have root rights needed for opening divert sockets.

strcmp Is Right

June 25, 2008 - 6:08am
Eus

Yes, strcmp is right.

Using IPPROTO_DIVERT will be much easier for you.

Cogito ergo...

June 20, 2008 - 8:30am
Anonymous (not verified)

I think that you could do your packet handling as a Netfilter target.

Sorry. can you elaborate

June 23, 2008 - 10:12pm
Anonymous (not verified)

Sorry. can you elaborate more on your point? I can't quite get it. Do you mean that I should process my packets in netfilter?

Thank you.

RTFriendlyM

June 24, 2008 - 2:08am
Annoyingmouse (not verified)

Netfilter documentation.

These docs are over 5 years

June 24, 2008 - 4:01pm
Anonymous (not verified)

These docs are over 5 years old and most likely do not lead to working code. Try searching for that "Writing your own Netfilter modules".

netfiler.org "how-to" read

July 3, 2008 - 10:56am
ravikumar.nie

netfiler.org

"how-to" read it u will find how to intercept packets??

read about hooks in above :::

And you, my foreposter, read

July 4, 2008 - 6:36am
Anonymous (not verified)

And you, my foreposter, read about writing proper phrases.

Ugh

July 8, 2008 - 4:27pm
Anonymous (not verified)

If you're going to be a dick, at least be productive. If you don't have anything to add, please, just keep your hands off of the keyboard.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Colocation donated by:
Who's online
There are currently 3 users and 880 guests online.

Online users

Syndicate
Syndicate content
© 2007 KernelTrap.  |  Powered by Drupal.  |  Legal statement.
speck-geostationary