Hi, I’d like to write a PoC for a userland IP network crypto using libnetfilter_queue, where I mangle packets both from plaintext to cipher text (PT-to-CT), and vice versa (CT-to-PT). I have a process that opens two queues (queue 0 is for CT-to-PT, queue 1 is PT-to-CT). The IP_PROTO for CT packets is 99 (any private encryption scheme). My rules are: IPTABLES=iptables IPADDRESS=192.168.1.21 INTERFACE=redhost1aeth0 INCOMING="-p 99 -i $INTERFACE -d $IPADDRESS" ## PT to CT (outgoing crypto) $IPTABLES -t mangle -A OUTPUT -p tcp -s $IPADDRESS -j NFQUEUE --queue-num 1 $IPTABLES -t mangle -A OUTPUT -p udp -s $IPADDRESS -j NFQUEUE --queue-num 1 $IPTABLES -t mangle -A OUTPUT -p icmp -s $IPADDRESS -j NFQUEUE --queue-num 1 ## CT to PT (incoming crypto) $IPTABLES -t raw -A PREROUTING $INCOMING -j NOTRACK $IPTABLES -t mangle -A PREROUTING $INCOMING -j NFQUEUE --queue-num 0 Outgoing traffic (PT-to-CT) works fine (I use ICMP pings to test), but on incoming packets with IP_PROTO 99, my kernel gives up long before the packets reach the nfqueue: it generates a 'protocol 99 unreachable’ ICMP message, and sends it back (which, ironically, gets encapsulated). I tried putting in the NOTRACK to prevent conntrack from spoiling (as you can see above), but it doesn’t help. Any ideas? Thanks, KJ
