Hi all! I'm write a simple netfilter module which recognize a fragmented packet.
First of all, i've used hping to send frag packet to my host (local
host), in particular i create only one packet (40 byte for default,
20bytes of header and 20 bytes of payload) specifying an MTU of 4
byte, so in this way i've to receive 5 packet (20bytes/4bytes of MTU).
So, this is the piece of code
[CODE]
#define FRAG_OFF(x) ntohs(x->frag_off) & IP_OFFSET
#define MORE_FRAG(x) ntohs(x->frag_off) & IP_MF
...
printk(KERN_INFO "sk_buff len: %d\n",skb->size);
...
struct iphdr *ip_header = (struct iphdr *)skb_network_header(skb);
...
if (FRAG_OFF || MORE_FRAG) {
printk(KERN_INFO "!!!fragmented!!!\n");
printk(KERN_INFO "frag off: %d\n",FRAG_OFF);
printk(KERN_INFO "\n\n");
}
[/CODE]
then iptables (where TAR is my new target)
[IPTABLES]
iptables -t mangle -A PREROUTING -p tcp -s localhost -j TAR
[/IPTABLES]
(note: i use mangle table to have available PREROUTING hook, where the
packets are not yet defragmented)
so hpinging in this way (-c = packets' number, -m = mtu in byte)
[HPING]
hping -m 4 -c 1 localhost
[/HPING]
Now let's a look to output
[OUTPUT]
sk_buff len: 24
!!!fragmented!!!
frag off: 0
sk_buff len: 24
!!!fragmented!!!
frag off: 0
sk_buff len: 24
!!!fragmented!!!
frag off: 1
sk_buff len: 24
!!!fragmented!!!
frag off: 1
sk_buff len: 24
!!!fragmented!!!
frag off: 2
[/OUTPUT]
As you can see, there are two couples of frag with the same frag off:
the first and the second with 0 frag_off, then the third and the
fourth with 1 frag_off.
how is it possible?
Thank you guys!
--
Nicola Padovano
e-mail: nicola.padovano@xxxxxxxxx
web: http://npadovano.altervista.org
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
