hi, I am trying to do something similar, if anyone wants i can send the code snippets. I start a telnet session between two hosts and then capture a packet in between, and try to send back an RST segment, I do checksum calculation and all my self. (both ip and tcp) 1. NF_IP_LOCAL_OUT queues the packet to user space 2. user space reads it using ipq_read, modifies packet, then sets a verdict of NF_ACCEPT 3. This packet is now caught at NF_IP_POST_ROUTING, I call netif_rx for that skb from here and return NF_STOLEN from hook call back function of NF_IP_POST_ROUTING. 4. what happens after that is not clear to me, surely the RST i sent doesnt reach the tcp connection it was intended for and hence the packet is dropped somewhere by the kernel. when and where is a problem for me, any idea how do I fgiure that out. Also Sven, The problem I talked about yesterday, POST_ROUTING not getting the packet after LOCAL_OUT queued it to the user space. I overcame that problem, but only after I started setting the mark to a particular value in the NF_IP_LOCAL_OUT hooks function itself, before queuing it to the user space. Earlier I was setting ipq_packet_msg->mark = THAT VALUE inside the user level program. Hence, these are my doubts : ipq_packet_msg-> mark i.e all the fields in ipq_packet msg can we modiy them in user space, and inject the "modified" packet back into the kernel ? I dont think this is possible with ipq_packet_msg->mark field, that is just for reading. Also, if i want to modify the packet before setting a verdict of NF_ACCEPT, how do I do it, the ip header starts from (unsigned char *)(packet+1), am I right ? Once i modify contents here, say interchange the src , dest ip, and then set verdict to NF_ACCEPT, the packet that is actually injected has the changed values. regards Amit "Kotatsu" <naughtydog@xxxxxxxxxxx>@lists.netfilter.org on 06/02/2004 12:09:44 AM Sent by: netfilter-admin@xxxxxxxxxxxxxxxxxxx To: <netfilter@xxxxxxxxxxxxxxxxxxx> cc: Subject: Resend TCP segment modified to the sender Hi guys, I have a problem. I have a client (192.168.9.2) that send TCP segment to a server (192.168.11.2). Between this PC there is a Linux router that captures all the segment and do forwarding. I want that it takes a client packet (the 10th TCP data packet sended, for example), modify it as i want, and then resend it to the client with ipq_set_verdict. Is this operation possible? Or netfilter can only send the modified packet at the server? If it's possible, which field must i modify to do this (i've tried to modify some flag but it doesn't work)? Thanks for your help Best regards
