Re: Netfilter hook doesn't see all packets

Gordon Fisher <gordfisherman@xxxxxxxxx> · Thu, 21 Nov 2019 10:08:23 -0800

Looks like your problem is that your iptables LOG rule tests for sport 
5353 while your hook code tests for dport 5353, which would explain why 
you're seeing different results.

> Adding this log rule logs all packets: iptables -t mangle -I
> PREROUTING 1 -j LOG --log-prefix="mylog" --log-level 4 --ipv4
> -p udp --sport 5353

>     if (dport == 5353)
>         pr_err("sip: %pI4h, sport: %u; dip: %pI4h, dport: %u\n",
> &sip, sport, &dip, dport);

--
gordonfish

On 11/20/2019 10:01 AM, Psyspy rambo wrote:
Note: I am seeing this issue only on a specific host. It works fine on
another host running in router mode. Any ideas to debug this?

Adding this log rule logs all packets: iptables -t mangle -I
PREROUTING 1 -j LOG --log-prefix="mylog" --log-level 4 --ipv4 -p udp
--sport 5353
The kernel module doesn't see ALL multicast dns packets. I assume
iptables uses netfilter hooks too, which makes this issue strange.
Here is the module code:

static uint32_t myhook(uint32_t hooknum, struct sk_buff *skb, const
struct net_device *in,  const struct net_device *out, int (*okfn)
(struct sk_buff *))
{
     struct iphdr *ip_header;
     uint8_t proto;
     struct udphdr *udp_header;
     unsigned int sip, dip, sport = 0, dport = 0;

     if(!skb)
         return NF_ACCEPT;

     if(ntohs(skb->protocol) != ETH_P_IP)
         return NF_ACCEPT;

     ip_header = (struct iphdr *)skb_network_header(skb);
     proto = ip_header->protocol;

     if (proto != IPPROTO_UDP)
         return NF_ACCEPT;

     udp_header = (struct udphdr *)skb_transport_header(skb);
     sip = (unsigned int)ntohl(ip_header->saddr);
     dip = (unsigned int)ntohl(ip_header->daddr);
     sport = (unsigned int)ntohs(udp_header->source);
     dport = (unsigned int)ntohs(udp_header->dest);
     if (dport == 5353)
         pr_err("sip: %pI4h, sport: %u; dip: %pI4h, dport: %u\n", &sip,
sport, &dip, dport);
     return NF_ACCEPT;
}

/*
pre_routing_hook_ops.hooknum = NF_INET_PRE_ROUTING;
pre_routing_hook_ops.pf = PF_INET;
pre_routing_hook_ops.priority = NF_IP_PRI_FIRST;
pre_routing_hook_ops.hook = (nf_hookfn *) myhook;
*/

On Thu, Nov 14, 2019 at 1:23 PM Psyspy rambo <psyspy2020@xxxxxxxxx> wrote:
Hello,

I implemented a kernel module that hooks into netfilter PREROUTING
hook and tries to log multicast dns packet tuple. If I add a iptables
log rule for mdns (port 5353), it logs all mdns packets. Verified that
it matches tcpdump output. However, the netfilter hook sees only a few
packets. Any ideas why? Thanks in advance.