Update: RE: Packet Mangling not taking?

Marc Kurtz mkurtz@dsdlabs.com
Tue, 2 Oct 2001 12:01:30 -0400


This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C14B5B.800CE380
Content-Type: text/plain;
	charset="iso-8859-1"

First a little recap. I have been trying to (in-a-way) do IP encapsulation
(this is merely experimentation). I have been adding 20 bytes (the length of
the IP Header) to the beginning of each packet going out and removing 20
bytes coming in. When adding the 20 bytes, I copy the IP header from the
original packet to the new space. So now I have:
 
 
< 20 bytes IP > <(same) 20 bytes IP> <payload>
 
Then I changing the tot_len field in the first IP header (the second IP
Header is part of the payload at this point), and I am doing an IP Header
checksum and an SKB checksum. The checksum code I am using is:
 
skb->csum = 0;
csum = csum_partial(skb->h.raw + doff, size - doff, 0);
skb->csum = csum; /* data checksum */

 ip_send_check(iph); /* ip checksum */

 
(is this a standard way of doing checksums??)
and things are working somewhat now...
 
I can use TCP connections perfectly! But for some reason, ICMP does not
work. Any thoughts? Is there a post-netfilter ICMP check procedure? I get a
packet going out and coming back in (all with correct lengths:
84->Netfilter->104->Network Wire->104->Netfilter->84), but it doesn't
register as a reply. Any thoughts??
 
-Marc Kurtz



 
 -----Original Message-----
From: Marc Kurtz [mailto:mkurtz@dsdlabs.com]
Sent: Tuesday, October 02, 2001 9:54 AM
To: 'netfilter-devel@lists.samba.org'
Subject: RE: Packet Mangling not taking?


Well the TCP stuff is below the IP Header (think encapsulation), so that
isn't necessary until it hits the final destination (which will remove the
extra 20 bytes), but would an invalid TCP  header (or an IP header for that
matter) cause the linux stack to drop the packet or re-adjust the packet so
it was the original length?
 
What function (in kernel-land) will re-calculate the IP Header??
 
Thanks for the info so far! I do believe it has to do with the IP tot_len
field!
 
-Marc

-----Original Message-----
From: Avinash natarajan [mailto:avinash.nat@wipro.com]
Sent: Tuesday, October 02, 2001 2:57 AM
To: Marc Kurtz
Subject: Re: Packet Mangling not taking?


hi..
    changing the ip header's total length field defenitely calls for
recalculation of the ip header checksum.
also when u add 20 bytes,it wud need a change in the transport header's
length field(for eg udp has a length field)..
and in case of tcp it wud affect the seq number.the tcp/udp checksum shud
also be recalculated..
rgds
avinash

----- Original Message ----- 
From: Marc  <mailto:mkurtz@dsdlabs.com> Kurtz 
To: 'netfilter-devel@lists.samba.org'
<mailto:'netfilter-devel@lists.samba.org'>  
Sent: Tuesday, October 02, 2001 2:37 AM
Subject: Packet Mangling not taking?

Hi all,

First thanks to S. Lockwood-Childs for answering my question on MAC
addresses. Your help is much appreciated.

On to my real problem now. I have been trying to test out packet
modification with netfilter hooks (using modules). What I have been doing is
adding 20 bytes at the end of a packet on one system, and then removing the
20 bytes at the other end of a connection on another system. It seems that
when the packet leaves the netfilter hook procedure that the skb->len has
been changed by the appropriate skb_* procedure (so it is coming in and
either adding or subtracting 20 bytes from the length). But when it reaches
the other end, it doesn't see the change in packet length. I think the
subtracting part (associated with the PRE-ROUTING hook, i.e. incoming
traffic) works okay, but the outgoing part (tried both POST_ROUTING and
LOCAL_OUT) doesn't seem to take. Do I need to modify any IP header info? I
tried to "iph->tot_len =htons(skb->len)" but that caused the packet to get
dropped somewhere along the line (do I need to re-checksum? Is there a
function to do this for me?)

I hope someone can give me a handle. (the end result is that we want to be
able to sort-of add meta-data to a packet between two points)


Thank You,
Marc Kurtz
IT Manager
DSD Laboratories, Inc.
978-443-9700




------_=_NextPart_001_01C14B5B.800CE380
Content-Type: text/html;
	charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 5.50.4807.2300" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>First 
a little recap. I have been trying to (in-a-way) do IP encapsulation (this is 
merely experimentation). I have been adding 20 bytes (the length of the IP 
Header) to the beginning of each packet going out and removing 20 bytes coming 
in. When adding the 20 bytes, I copy the IP header from the original packet to 
the new space. So now I have:</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=507174915-02102001></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=507174915-02102001></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>&lt; 
20 bytes IP &gt; &lt;(same) 20 bytes IP&gt; &lt;payload&gt;</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=507174915-02102001></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>Then I 
changing the tot_len field in the first IP header (the second IP Header is part 
of the payload at this point), and I am doing an IP Header checksum and an SKB 
checksum. The checksum code I am using is:</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=507174915-02102001></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial><SPAN class=507174915-02102001>skb-&gt;csum = 0;<BR>	csum 
= csum_partial(skb-&gt;h.raw + doff, size - doff, 0);<BR>	skb-&gt;csum = csum; 
/* data checksum */<BR><BR>&nbsp;ip_send_check(iph); /* ip checksum 
*/<BR></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=507174915-02102001></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>(is 
this a standard way of doing checksums??)</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>and 
things are working somewhat now...</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=507174915-02102001></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>I can 
use TCP connections perfectly! But for some reason, ICMP does not work. Any 
thoughts? Is there a post-netfilter ICMP check procedure? I get a packet going 
out and coming back in (all with correct lengths: 
84-&gt;Netfilter-&gt;104-&gt;Network Wire-&gt;104-&gt;Netfilter-&gt;84), but it 
doesn't register as a reply. Any thoughts??</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=507174915-02102001></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>-Marc 
Kurtz</SPAN></FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"><FONT face=Tahoma>
  <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Arial 
  color=#0000ff size=2></FONT><BR><FONT size=2><SPAN 
  class=507174915-02102001><FONT face=Arial 
  color=#0000ff>&nbsp;</FONT></SPAN></FONT></DIV>
  <DIV class=OutlookMessageHeader dir=ltr align=left><FONT size=2><SPAN 
  class=507174915-02102001>&nbsp;</SPAN>-----Original 
  Message-----<BR><B>From:</B> Marc Kurtz 
  [mailto:mkurtz@dsdlabs.com]<BR><B>Sent:</B> Tuesday, October 02, 2001 9:54 
  AM<BR><B>To:</B> 'netfilter-devel@lists.samba.org'<BR><B>Subject:</B> RE: 
  Packet Mangling not taking?<BR><BR></DIV></FONT></FONT>
  <DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff size=2>Well 
  the TCP stuff is below the IP Header (think encapsulation), so that isn't 
  necessary until it hits the final destination&nbsp;(which will remove the 
  extra 20 bytes), but would an invalid TCP&nbsp; header&nbsp;(or an IP header 
  for that matter) cause the linux stack to drop the packet or re-adjust the 
  packet so it was the original length?</FONT></SPAN></DIV>
  <DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff 
  size=2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff size=2>What 
  function (in kernel-land) will re-calculate the IP 
Header??</FONT></SPAN></DIV>
  <DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff 
  size=2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff 
  size=2>Thanks for the info so far! I do believe it has to do with the IP 
  tot_len field!</FONT></SPAN></DIV>
  <DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff 
  size=2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff 
  size=2>-Marc</FONT></SPAN></DIV>
  <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
    <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma 
    size=2>-----Original Message-----<BR><B>From:</B> Avinash natarajan 
    [mailto:avinash.nat@wipro.com]<BR><B>Sent:</B> Tuesday, October 02, 2001 
    2:57 AM<BR><B>To:</B> Marc Kurtz<BR><B>Subject:</B> Re: Packet Mangling not 
    taking?<BR><BR></FONT></DIV>
    <DIV><FONT face=Arial size=2>hi..</FONT></DIV>
    <DIV><FONT face=Arial size=2>&nbsp;&nbsp;&nbsp; changing the ip header's 
    total length field defenitely calls for recalculation of the ip header 
    checksum.</FONT></DIV>
    <DIV><FONT face=Arial size=2>also when u add 20 bytes,it wud need a change 
    in the transport header's length field(for eg udp has a length 
    field)..</FONT></DIV>
    <DIV><FONT face=Arial size=2>and in case of tcp it wud affect the seq 
    number.the tcp/udp checksum shud also be recalculated..</FONT></DIV>
    <DIV><FONT face=Arial size=2>rgds</FONT></DIV>
    <DIV><FONT face=Arial size=2>avinash</FONT></DIV>
    <BLOCKQUOTE 
    style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
      <DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
      <DIV 
      style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B> 
      <A title=mkurtz@dsdlabs.com href="mailto:mkurtz@dsdlabs.com">Marc 
      Kurtz</A> </DIV>
      <DIV style="FONT: 10pt arial"><B>To:</B> <A 
      title=netfilter-devel@lists.samba.org 
      href="mailto:'netfilter-devel@lists.samba.org'">'netfilter-devel@lists.samba.org'</A> 
      </DIV>
      <DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, October 02, 2001 2:37 
      AM</DIV>
      <DIV style="FONT: 10pt arial"><B>Subject:</B> Packet Mangling not 
      taking?</DIV>
      <DIV><BR></DIV>Hi all,<BR><BR>First thanks to S. Lockwood-Childs for 
      answering my question on MAC<BR>addresses. Your help is much 
      appreciated.<BR><BR>On to my real problem now. I have been trying to test 
      out packet<BR>modification with netfilter hooks (using modules). What I 
      have been doing is<BR>adding 20 bytes at the end of a packet on one 
      system, and then removing the<BR>20 bytes at the other end of a connection 
      on another system. It seems that<BR>when the packet leaves the netfilter 
      hook procedure that the skb-&gt;len has<BR>been changed by the appropriate 
      skb_* procedure (so it is coming in and<BR>either adding or subtracting 20 
      bytes from the length). But when it reaches<BR>the other end, it doesn't 
      see the change in packet length. I think the<BR>subtracting part 
      (associated with the PRE-ROUTING hook, i.e. incoming<BR>traffic) works 
      okay, but the outgoing part (tried both POST_ROUTING and<BR>LOCAL_OUT) 
      doesn't seem to take. Do I need to modify any IP header info? I<BR>tried 
      to "iph-&gt;tot_len =htons(skb-&gt;len)" but that caused the packet to 
      get<BR>dropped somewhere along the line (do I need to re-checksum? Is 
      there a<BR>function to do this for me?)<BR><BR>I hope someone can give me 
      a handle. (the end result is that we want to be<BR>able to sort-of add 
      meta-data to a packet between two points)<BR><BR><BR>Thank You,<BR>Marc 
      Kurtz<BR>IT Manager<BR>DSD Laboratories, 
    Inc.<BR>978-443-9700<BR><BR></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C14B5B.800CE380--