Update: RE: Packet Mangling not taking?
Marc Kurtz
mkurtz@dsdlabs.com
Tue, 2 Oct 2001 12:01:30 -0400
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C14B5B.800CE380
Content-Type: text/plain;
charset="iso-8859-1"
First a little recap. I have been trying to (in-a-way) do IP encapsulation
(this is merely experimentation). I have been adding 20 bytes (the length of
the IP Header) to the beginning of each packet going out and removing 20
bytes coming in. When adding the 20 bytes, I copy the IP header from the
original packet to the new space. So now I have:
< 20 bytes IP > <(same) 20 bytes IP> <payload>
Then I changing the tot_len field in the first IP header (the second IP
Header is part of the payload at this point), and I am doing an IP Header
checksum and an SKB checksum. The checksum code I am using is:
skb->csum = 0;
csum = csum_partial(skb->h.raw + doff, size - doff, 0);
skb->csum = csum; /* data checksum */
ip_send_check(iph); /* ip checksum */
(is this a standard way of doing checksums??)
and things are working somewhat now...
I can use TCP connections perfectly! But for some reason, ICMP does not
work. Any thoughts? Is there a post-netfilter ICMP check procedure? I get a
packet going out and coming back in (all with correct lengths:
84->Netfilter->104->Network Wire->104->Netfilter->84), but it doesn't
register as a reply. Any thoughts??
-Marc Kurtz
-----Original Message-----
From: Marc Kurtz [mailto:mkurtz@dsdlabs.com]
Sent: Tuesday, October 02, 2001 9:54 AM
To: 'netfilter-devel@lists.samba.org'
Subject: RE: Packet Mangling not taking?
Well the TCP stuff is below the IP Header (think encapsulation), so that
isn't necessary until it hits the final destination (which will remove the
extra 20 bytes), but would an invalid TCP header (or an IP header for that
matter) cause the linux stack to drop the packet or re-adjust the packet so
it was the original length?
What function (in kernel-land) will re-calculate the IP Header??
Thanks for the info so far! I do believe it has to do with the IP tot_len
field!
-Marc
-----Original Message-----
From: Avinash natarajan [mailto:avinash.nat@wipro.com]
Sent: Tuesday, October 02, 2001 2:57 AM
To: Marc Kurtz
Subject: Re: Packet Mangling not taking?
hi..
changing the ip header's total length field defenitely calls for
recalculation of the ip header checksum.
also when u add 20 bytes,it wud need a change in the transport header's
length field(for eg udp has a length field)..
and in case of tcp it wud affect the seq number.the tcp/udp checksum shud
also be recalculated..
rgds
avinash
----- Original Message -----
From: Marc <mailto:mkurtz@dsdlabs.com> Kurtz
To: 'netfilter-devel@lists.samba.org'
<mailto:'netfilter-devel@lists.samba.org'>
Sent: Tuesday, October 02, 2001 2:37 AM
Subject: Packet Mangling not taking?
Hi all,
First thanks to S. Lockwood-Childs for answering my question on MAC
addresses. Your help is much appreciated.
On to my real problem now. I have been trying to test out packet
modification with netfilter hooks (using modules). What I have been doing is
adding 20 bytes at the end of a packet on one system, and then removing the
20 bytes at the other end of a connection on another system. It seems that
when the packet leaves the netfilter hook procedure that the skb->len has
been changed by the appropriate skb_* procedure (so it is coming in and
either adding or subtracting 20 bytes from the length). But when it reaches
the other end, it doesn't see the change in packet length. I think the
subtracting part (associated with the PRE-ROUTING hook, i.e. incoming
traffic) works okay, but the outgoing part (tried both POST_ROUTING and
LOCAL_OUT) doesn't seem to take. Do I need to modify any IP header info? I
tried to "iph->tot_len =htons(skb->len)" but that caused the packet to get
dropped somewhere along the line (do I need to re-checksum? Is there a
function to do this for me?)
I hope someone can give me a handle. (the end result is that we want to be
able to sort-of add meta-data to a packet between two points)
Thank You,
Marc Kurtz
IT Manager
DSD Laboratories, Inc.
978-443-9700
------_=_NextPart_001_01C14B5B.800CE380
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4807.2300" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>First
a little recap. I have been trying to (in-a-way) do IP encapsulation (this is
merely experimentation). I have been adding 20 bytes (the length of the IP
Header) to the beginning of each packet going out and removing 20 bytes coming
in. When adding the 20 bytes, I copy the IP header from the original packet to
the new space. So now I have:</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=507174915-02102001></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=507174915-02102001></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001><
20 bytes IP > <(same) 20 bytes IP> <payload></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=507174915-02102001></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>Then I
changing the tot_len field in the first IP header (the second IP Header is part
of the payload at this point), and I am doing an IP Header checksum and an SKB
checksum. The checksum code I am using is:</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=507174915-02102001></SPAN></FONT> </DIV>
<DIV><FONT face=Arial><SPAN class=507174915-02102001>skb->csum = 0;<BR> csum
= csum_partial(skb->h.raw + doff, size - doff, 0);<BR> skb->csum = csum;
/* data checksum */<BR><BR> ip_send_check(iph); /* ip checksum
*/<BR></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=507174915-02102001></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>(is
this a standard way of doing checksums??)</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>and
things are working somewhat now...</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=507174915-02102001></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>I can
use TCP connections perfectly! But for some reason, ICMP does not work. Any
thoughts? Is there a post-netfilter ICMP check procedure? I get a packet going
out and coming back in (all with correct lengths:
84->Netfilter->104->Network Wire->104->Netfilter->84), but it
doesn't register as a reply. Any thoughts??</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=507174915-02102001></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=507174915-02102001>-Marc
Kurtz</SPAN></FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"><FONT face=Tahoma>
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Arial
color=#0000ff size=2></FONT><BR><FONT size=2><SPAN
class=507174915-02102001><FONT face=Arial
color=#0000ff> </FONT></SPAN></FONT></DIV>
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT size=2><SPAN
class=507174915-02102001> </SPAN>-----Original
Message-----<BR><B>From:</B> Marc Kurtz
[mailto:mkurtz@dsdlabs.com]<BR><B>Sent:</B> Tuesday, October 02, 2001 9:54
AM<BR><B>To:</B> 'netfilter-devel@lists.samba.org'<BR><B>Subject:</B> RE:
Packet Mangling not taking?<BR><BR></DIV></FONT></FONT>
<DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff size=2>Well
the TCP stuff is below the IP Header (think encapsulation), so that isn't
necessary until it hits the final destination (which will remove the
extra 20 bytes), but would an invalid TCP header (or an IP header
for that matter) cause the linux stack to drop the packet or re-adjust the
packet so it was the original length?</FONT></SPAN></DIV>
<DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff size=2>What
function (in kernel-land) will re-calculate the IP
Header??</FONT></SPAN></DIV>
<DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff
size=2>Thanks for the info so far! I do believe it has to do with the IP
tot_len field!</FONT></SPAN></DIV>
<DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=750525313-02102001><FONT face=Arial color=#0000ff
size=2>-Marc</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Avinash natarajan
[mailto:avinash.nat@wipro.com]<BR><B>Sent:</B> Tuesday, October 02, 2001
2:57 AM<BR><B>To:</B> Marc Kurtz<BR><B>Subject:</B> Re: Packet Mangling not
taking?<BR><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>hi..</FONT></DIV>
<DIV><FONT face=Arial size=2> changing the ip header's
total length field defenitely calls for recalculation of the ip header
checksum.</FONT></DIV>
<DIV><FONT face=Arial size=2>also when u add 20 bytes,it wud need a change
in the transport header's length field(for eg udp has a length
field)..</FONT></DIV>
<DIV><FONT face=Arial size=2>and in case of tcp it wud affect the seq
number.the tcp/udp checksum shud also be recalculated..</FONT></DIV>
<DIV><FONT face=Arial size=2>rgds</FONT></DIV>
<DIV><FONT face=Arial size=2>avinash</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=mkurtz@dsdlabs.com href="mailto:mkurtz@dsdlabs.com">Marc
Kurtz</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=netfilter-devel@lists.samba.org
href="mailto:'netfilter-devel@lists.samba.org'">'netfilter-devel@lists.samba.org'</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, October 02, 2001 2:37
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Packet Mangling not
taking?</DIV>
<DIV><BR></DIV>Hi all,<BR><BR>First thanks to S. Lockwood-Childs for
answering my question on MAC<BR>addresses. Your help is much
appreciated.<BR><BR>On to my real problem now. I have been trying to test
out packet<BR>modification with netfilter hooks (using modules). What I
have been doing is<BR>adding 20 bytes at the end of a packet on one
system, and then removing the<BR>20 bytes at the other end of a connection
on another system. It seems that<BR>when the packet leaves the netfilter
hook procedure that the skb->len has<BR>been changed by the appropriate
skb_* procedure (so it is coming in and<BR>either adding or subtracting 20
bytes from the length). But when it reaches<BR>the other end, it doesn't
see the change in packet length. I think the<BR>subtracting part
(associated with the PRE-ROUTING hook, i.e. incoming<BR>traffic) works
okay, but the outgoing part (tried both POST_ROUTING and<BR>LOCAL_OUT)
doesn't seem to take. Do I need to modify any IP header info? I<BR>tried
to "iph->tot_len =htons(skb->len)" but that caused the packet to
get<BR>dropped somewhere along the line (do I need to re-checksum? Is
there a<BR>function to do this for me?)<BR><BR>I hope someone can give me
a handle. (the end result is that we want to be<BR>able to sort-of add
meta-data to a packet between two points)<BR><BR><BR>Thank You,<BR>Marc
Kurtz<BR>IT Manager<BR>DSD Laboratories,
Inc.<BR>978-443-9700<BR><BR></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C14B5B.800CE380--