Q about netfilter and packet modifications
bsnyder at idirect.net
Thu Jan 11 16:06:52 CET 2007
I'm working on a test program using libipq and iptables (to route packet
I have a test program working that does all of the above, now I want to
start adding some of my smarts into the program, and one thing I want to
do is add some TCP options into certain types of TCP packets.
So I believe I understand what I have to do, or at least I'm rather
close, but I would just like some confirmation that I'm on the correct
1) Create a totally new 'message buffer' of the appropriate size, to
house the original packet in it's entirety, plus the extra bytes I need
to add for my new TCP option.
2) Copy over all the orignal headers into this new memory space... Then
add in my own TCP headers.
3) 'Merge' the tcp data packet itself into the new structure, AFTER my
added tcp header.
4) Re-compute all required checksums
5) Reaim - msg->payload to my new structure.
6) ?? Do I need to free the old msg->payload or does the kernel know to
do this for me ??
7) Send back a ipq_set_verdict, with all the params set to show I
mangled the packet a bit.
I'm concerned about the processing this will take, as it looks like
there will need to be 2 different calls to memcopy, totalling the full
length of every packet.
Can I mangle JUST the header's if I set the mode to IPQ_COPY_META, and
would it integrate my header changes in with the packet data
automagically? That would save me a lot of the memcopy for large
I plan on setting the MTU in accordance with the space needed to add my
options, so it shouldn't cause any fragmentation.
More information about the netfilter-devel