unable to reinject the IP packets using ipq_set_verdict (libipq API)
srinivasg at esntechnologies.co.in
Mon Dec 20 13:03:03 CET 2004
I developed a small application which uses the libipq APIs to capture
the IP packets using netfilter hook. (Here I am not using the iptables.
I used the netfilter hook module to queue the packets in the kernel
space using NF_QUEUE verdict. At the user side I am using the ip_queue
module and then libipq APIs to read the queued packets from the kernel
When I try to print the packet's data in the libipq application it was
printed perfectly. But when I try to reinject the modified packet back
to kernel space using the ipq_set _verdict, it was not working. See the
attached code below.
ipq_packet_msg_t *m = ipq_get_packet(buf);
unsigned char *packet = (unsigned char *)m +
unsigned int header_length = 0;
struct iphdr *iph;
struct tcphdr *tcph;
unsigned char *payload;
/* calculate the IP header length */
iph = (struct iphdr *)packet;
header_length += iph->ihl * 4;
/* calculate the TCP header */
tcph = (struct tcphdr *)(packet +
header_length += tcph->doff * 4;
/* compute the payload */
payload = packet + header_length;
/* length of the packet data is */
printf("Packet length = %d!\n",m->data_len);
/* address of the packet in the memory */
printf("Packet address in the memory :
/* address of the payload in the memory */
printf("payload address in the memory :
printf("%c",*(payload + i));
*(payload + i) = 'a';
/* after modification re-inject the packet into
* the kernel space i.e. issue the verdict */
status = ipq_set_verdict(pHandle, m->packet_id,
NF_ACCEPT, 0, NULL);
if (status < 0)
I modified the following line in different ways with different arguments
for the 4th and 5th parameters. I read the man page of ipq_set_verdict
and modified those variables.
status = ipq_set_verdict(pHandle, m->packet_id, NF_ACCEPT, 0, NULL);
Instead of sending the 0 and NULL, I send
1. Application defined buffer length and application
defined buffer pointer.
2. m->data_len and packet pointer
3. 20 (number of character I modified in the
application) and payload pointer
4. m->data_len and m
I tried with other combinations, not only above mentioned combinations.
Even though, I was unable to retransmit the modified packet.
How am I testing it? I connected two individual systems using CROSS
CABLE. On one system I am running the client program and another system
I am running the server program and libipq application. On server
machine I am receiving the original data instead of modified one.
Any help greatly appreciated.
Thanks and regards,
More information about the netfilter-devel