Thanks for the reply. For multicast dns flows, both source and
destination ports are 5353. Even if I remove the if statement and dump
all udp flows, the kernel module doesn't see all of them.
On Thu, Nov 21, 2019 at 11:09 AM Gordon Fisher <gordfisherman@xxxxxxxxx> wrote:
>
> Looks like your problem is that your iptables LOG rule tests for sport
> 5353 while your hook code tests for dport 5353, which would explain why
> you're seeing different results.
>
> > Adding this log rule logs all packets: iptables -t mangle -I
> > PREROUTING 1 -j LOG --log-prefix="mylog" --log-level 4 --ipv4
> > -p udp --sport 5353
>
> > if (dport == 5353)
> > pr_err("sip: %pI4h, sport: %u; dip: %pI4h, dport: %u\n",
> > &sip, sport, &dip, dport);
>
> --
> gordonfish
>
>
> On 11/20/2019 10:01 AM, Psyspy rambo wrote:
> > Note: I am seeing this issue only on a specific host. It works fine on
> > another host running in router mode. Any ideas to debug this?
> >
> > Adding this log rule logs all packets: iptables -t mangle -I
> > PREROUTING 1 -j LOG --log-prefix="mylog" --log-level 4 --ipv4 -p udp
> > --sport 5353
> > The kernel module doesn't see ALL multicast dns packets. I assume
> > iptables uses netfilter hooks too, which makes this issue strange.
> > Here is the module code:
> >
> > static uint32_t myhook(uint32_t hooknum, struct sk_buff *skb, const
> > struct net_device *in, const struct net_device *out, int (*okfn)
> > (struct sk_buff *))
> > {
> > struct iphdr *ip_header;
> > uint8_t proto;
> > struct udphdr *udp_header;
> > unsigned int sip, dip, sport = 0, dport = 0;
> >
> > if(!skb)
> > return NF_ACCEPT;
> >
> > if(ntohs(skb->protocol) != ETH_P_IP)
> > return NF_ACCEPT;
> >
> > ip_header = (struct iphdr *)skb_network_header(skb);
> > proto = ip_header->protocol;
> >
> > if (proto != IPPROTO_UDP)
> > return NF_ACCEPT;
> >
> > udp_header = (struct udphdr *)skb_transport_header(skb);
> > sip = (unsigned int)ntohl(ip_header->saddr);
> > dip = (unsigned int)ntohl(ip_header->daddr);
> > sport = (unsigned int)ntohs(udp_header->source);
> > dport = (unsigned int)ntohs(udp_header->dest);
> > if (dport == 5353)
> > pr_err("sip: %pI4h, sport: %u; dip: %pI4h, dport: %u\n", &sip,
> > sport, &dip, dport);
> > return NF_ACCEPT;
> > }
> >
> > /*
> > pre_routing_hook_ops.hooknum = NF_INET_PRE_ROUTING;
> > pre_routing_hook_ops.pf = PF_INET;
> > pre_routing_hook_ops.priority = NF_IP_PRI_FIRST;
> > pre_routing_hook_ops.hook = (nf_hookfn *) myhook;
> > */
> >
> > On Thu, Nov 14, 2019 at 1:23 PM Psyspy rambo <psyspy2020@xxxxxxxxx> wrote:
> >> Hello,
> >>
> >> I implemented a kernel module that hooks into netfilter PREROUTING
> >> hook and tries to log multicast dns packet tuple. If I add a iptables
> >> log rule for mdns (port 5353), it logs all mdns packets. Verified that
> >> it matches tcpdump output. However, the netfilter hook sees only a few
> >> packets. Any ideas why? Thanks in advance.
>
