Hi, Le jeudi 30 juillet 2009 à 09:18 -0500, Srinivasan, Suman (Suman)** CTR ** a écrit : > Hi all, > > Sorry for this elementary question, but I am new to the world of packet modification. I browsed the recent netfilter-devel archives and couldn't find much on this topic. > > I am trying to modify TCP packets in userspace. I know it is inefficient to do it in userspace, but I just need a prototype to test for now. For testing, the easiest way is : http://software.inl.fr/trac/wiki/nfqueue-bindings You can do Proof of Concept in Python, perl ... for an example of packet modification: http://git.inl.fr/cgi-bin/gitweb.cgi?p=nfqueue-bindings.git;a=blob;f=examples/rewrite.py;h=4086734e4483edd009f8333a1cc4d023a365a797;hb=HEAD > I couldn't find much documentation on doing this, except for the documentation on the following URL, the nfqnl_test.c file and some modifications on some mailing lists: > http://www.nufw.org/doc/libnetfilter_queue/ > > I have gotten this far: > 1. Have set up iptables rules to send the TCP packets I want to intercept down a NFQUEUE queue. > 2. Am able to use nfqnl_test.c to receive and print out packet info. > 3. Used netinet/tcp.h and sample code to check TCP headers > 4. Able to print out TCP payload using TCP and IP header information > 5. Able to modify the TCP payload (or at least the copy) > > However, the modified packets are not really being transmitted! I assume this is because I am getting a copy of the packets or the packet data. Other than getting/setting the TCP and payload data, the rest of the code to intercept the packet is still the basic nfqnl_test.c code. > > How do I actually modify the packet in userspace so that it is sent out over the network? > > Also, if I modify the TCP packets and add more data to the payload, what would I change? I assume that I would only have to change the following: > > - TCP payload length > - Checksum > - IP length (?, would I have to touch this field) > > Is there anything else that I am not thinking of? Yes you need to recompute manually all checksum and length and send decision with nfq_set_verdict providing pointer to modified data and data length to the function. > > By the way, the documentation available out there is a little hard for a newcomer to the world of iptables/netfilter. I'm getting a little lost with all the talk about libipq, libiptc, etc. Is there any documentation on the history of iptables/netfilter and which libraries have been retired or are still active? > To do short: ip_queue is deprecated and replaced by libnetfilter_queue. BR, -- Éric Leblond <eric@xxxxxx> EdenWall, http://www.edenwall.com/ NuFW, http://www.nufw.org
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
