Note: I am seeing this issue only on a specific host. It works fine on
another host running in router mode. Any ideas to debug this?
Adding this log rule logs all packets: iptables -t mangle -I
PREROUTING 1 -j LOG --log-prefix="mylog" --log-level 4 --ipv4 -p udp
--sport 5353
The kernel module doesn't see ALL multicast dns packets. I assume
iptables uses netfilter hooks too, which makes this issue strange.
Here is the module code:
static uint32_t myhook(uint32_t hooknum, struct sk_buff *skb, const
struct net_device *in, const struct net_device *out, int (*okfn)
(struct sk_buff *))
{
struct iphdr *ip_header;
uint8_t proto;
struct udphdr *udp_header;
unsigned int sip, dip, sport = 0, dport = 0;
if(!skb)
return NF_ACCEPT;
if(ntohs(skb->protocol) != ETH_P_IP)
return NF_ACCEPT;
ip_header = (struct iphdr *)skb_network_header(skb);
proto = ip_header->protocol;
if (proto != IPPROTO_UDP)
return NF_ACCEPT;
udp_header = (struct udphdr *)skb_transport_header(skb);
sip = (unsigned int)ntohl(ip_header->saddr);
dip = (unsigned int)ntohl(ip_header->daddr);
sport = (unsigned int)ntohs(udp_header->source);
dport = (unsigned int)ntohs(udp_header->dest);
if (dport == 5353)
pr_err("sip: %pI4h, sport: %u; dip: %pI4h, dport: %u\n", &sip,
sport, &dip, dport);
return NF_ACCEPT;
}
/*
pre_routing_hook_ops.hooknum = NF_INET_PRE_ROUTING;
pre_routing_hook_ops.pf = PF_INET;
pre_routing_hook_ops.priority = NF_IP_PRI_FIRST;
pre_routing_hook_ops.hook = (nf_hookfn *) myhook;
*/
On Thu, Nov 14, 2019 at 1:23 PM Psyspy rambo <psyspy2020@xxxxxxxxx> wrote:
>
> Hello,
>
> I implemented a kernel module that hooks into netfilter PREROUTING
> hook and tries to log multicast dns packet tuple. If I add a iptables
> log rule for mdns (port 5353), it logs all mdns packets. Verified that
> it matches tcpdump output. However, the netfilter hook sees only a few
> packets. Any ideas why? Thanks in advance.
