Re: Is it possible to access ip fragments with libnetfilter_queue?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le 28/04/2015 09:39, Michael Fomichev a écrit :

Hello,

I am using libnetfilter_queue in C to capture packets. I am setting an
iptable rule to queue the incoming packets that would later be
processed by the userspace implementation like this: iptables -A INPUT
-j NFQUEUE --queue-num 0. I used nfqnl_test.c example as a framework
to implement the capture. Everything works as expected. However, I
noticed that it is impossible to inspect the queue on the level of ip
fragments. That is, if a packet is coming in fragments it is first
reassembled before being put into the queue. But I would like to work
with fragments. So is there a way to enforce that kind of behavior?
What I want to have is a queue where I could observe raw incoming
packets (both fragmented and unfragmented) so I would be able to act
on them accordingly.


[...]

> "fragmentation granularity" which I am looking for. I also tried
> adjusting iptable rules (e.g. iptables -t raw -D PREROUTING -i eth0 -j
> NFQUEUE --queue-num 0), but the result is still the same. I can only

Defragmentation has the lowest priority in include/uapi/linux/netfilter_ipv4.h:
NF_IP_PRI_CONNTRACK_DEFRAG = -400
This is even before the RAW priority (-300), so iptables can't work before defragmentation, unless of course nf_defrag_ipv4 isn't loaded, that is you don't use connection tracking at all, which I'd doubt.
Try with nft/nftables, because you can choose the hook priority with nft. The nft rules shouldn't interfere with iptables rules, both can be loaded and be working together. I chose priority -450 because -450 < -400 , so it will run before nf_defrag_ipv4 and I called it predefrag. 

# nft -i
nft> add table filter
nft> add chain filter predefrag { type filter hook prerouting priority -450; }
nft> add filter predefrag meta iif eth0 counter queue num 0 bypass
When I run nfqnl_test, if I switch from ping -s 1472 to ping -s 1473 (ethernet size from 1500 to 1501) from an other box, I go from 1 packet with payload_len=1500 to two packets (payload_len 1500 and 21). With priority -300 I get only one packet with payload_len 1501. Appears to be working!
Normally (in all the examples...) the priority should be -300. I don't know if there's any side effect when using -450. 

Relevant documentation:
http://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
http://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace



Any help is really appreciated

Best regards,

Michael


Best regards,
Adel

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux