unable to reinject the IP packets using ipq_set_verdict (libipq API)

Srinivas G. srinivasg at esntechnologies.co.in
Mon Dec 20 13:03:03 CET 2004


Dear All,

 

I developed a small application which uses the libipq APIs to capture
the IP packets using netfilter hook. (Here I am not using the iptables.
I used the netfilter hook module to queue the packets in the kernel
space using NF_QUEUE verdict. At the user side I am using the ip_queue
module and then libipq APIs to read the queued packets from the kernel
space)

 

When I try to print the packet's data in the libipq application it was
printed perfectly. But when I try to reinject the modified packet back
to kernel space using the ipq_set _verdict, it was not working. See the
attached code below.

 

 

  case IPQM_PACKET: 

{

                        ipq_packet_msg_t *m = ipq_get_packet(buf);

                        unsigned char *packet = (unsigned char *)m +
sizeof(*m);

                        unsigned int header_length = 0;

                        struct iphdr *iph;

                        struct tcphdr *tcph;

                        unsigned char *payload;

 

                        /* calculate the IP header length */

                        iph = (struct iphdr *)packet;

                        header_length += iph->ihl * 4;

 

                        /* calculate the TCP header */

                        tcph = (struct tcphdr *)(packet +
header_length);

                        header_length += tcph->doff * 4;

                                    

                        /* compute the payload */

                        payload = packet + header_length;

                                    

                        printf("Packet receivd!\n");           

 

                        /* length of the packet data is */

                        printf("Packet length = %d!\n",m->data_len);

                                     

                        /* address of the packet in the memory */

                        printf("Packet address in the memory :
%X!\n",packet);

                                     

                        /* address of the payload in the memory */

                        printf("payload address in the memory :
%X!\n",payload);

 

                        for(i=0;i<20;i++)

                        {

                            printf("%c",*(payload + i));

                            *(payload + i) = 'a';

                        }

 

                        printf("\n");

 

                        /* after modification re-inject the packet into

                         * the kernel space i.e. issue the verdict */

                        status = ipq_set_verdict(pHandle, m->packet_id,
NF_ACCEPT, 0, NULL);

 

                        if (status < 0)

                             die(pHandle);

                                      

                        break;

            }

 

 

I modified the following line in different ways with different arguments
for the 4th and 5th parameters. I read the man page of ipq_set_verdict
and modified those variables. 

 

status = ipq_set_verdict(pHandle, m->packet_id, NF_ACCEPT, 0, NULL);

 

Instead of sending the 0 and NULL, I send

1.                  Application defined buffer length and application
defined buffer pointer.

2.                  m->data_len and packet pointer 

3.                  20 (number of character I modified in the
application) and payload pointer

4.                  m->data_len and m

 

I tried with other combinations, not only above mentioned combinations. 

 

Even though, I was unable to retransmit the modified packet. 

 

How am I testing it? I connected two individual systems using CROSS
CABLE. On one system I am running the client program and another system
I am running the server program and libipq application. On server
machine I am receiving the original data instead of modified one.

 

Any help greatly appreciated.

 

Thanks and regards,

Srinivas G

 

 



More information about the netfilter-devel mailing list