Hi guys,
As a new kernel module developer, I need to develop a module which would
redirect traffic when matching some rules transparently. Say I want all the
traffic to IP address 1.1.1.1 actually goes to 2.2.2.2. This sounds like
some kind of DNAT, and I can get it work using iptables, like "iptables -t
nat -A OUTPUT -p tcp -d 1.1.1.1 -j DNAT --to 2.2.2.2", but I cannot make it
work in a kernel module.
The following code snippet is my try:
unsigned int send_hook_func(void *priv, struct sk_buff *skb, const struct
nf_hook_state *state) {
/*...some details omitted*/
if (iph->protocol == IPPROTO_TCP && match_the_dst_ip(iph)) {
update_dst_ip_header(iph); // set dst from 1.1.1.1 to 2.2.2.2
update_ip_checksum(iph);
}
return NF_ACCEPT;
}
unsigned int recv_hook_func(void *priv, struct sk_buff *skb, const struct
nf_hook_state *state) {
/*...some details omitted*/
if (iph->protocol == IPPROTO_TCP && match_the_src_ip(iph)) {
update_src_ip_header(iph); // set src from 2.2.2.2 to 1.1.1.1
update_ip_checksum(iph);
}
return NF_ACCEPT;
}
static inline int init_recv_hook(void)
{
nfho_recv.hook = recv_hook_func;
nfho_recv.hooknum = NF_INET_LOCAL_IN;
nfho_recv.pf = PF_INET;
nfho_recv.priority = NF_IP_PRI_FIRST;
return nf_register_net_hook(&init_net, &nfho_recv);
}
static int init_send_hook(void)
{
nfho_send.hook = send_hook_func;
nfho_send.hooknum = NF_INET_LOCAL_OUT;
nfho_send.pf = PF_INET;
nfho_send.priority = NF_IP_PRI_FIRST;
return nf_register_net_hook(&init_net, &nfho_send);
}
The problem is the host can send out SYNC packet, but the target (2.2.2.2)
never receive packets.
Is this the correct approach? Do I use the correct hooknum and the correct
priority?
Thanks very much.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
