Reading pkt at pre_routing, modifying and sending out again

[Bos, H.J.]

Hi,

This is a newbie question. I am trying to use netfilter to process pkts that
come in at the pre_routing hook. I want to modify the pkts and send them out
again, very much like Jeff Long's mirror.c program.

However, I am having problems getting mirror to work properly. This is what
I have done:

1. turned on ip_fowarding: echo 1 > /proc/sys/net/ipv4/ip_forward 

2. insmod netfilter_dev

3. insmod iptables

4. set the policy for FOWARD to ACCEPT: iptables -P FOWARD ACCEPT

Next, i have written a module 'myfilter' that grabs pkts from the netfilter.
It does a 'nf_register_hook' to register interest in the PRE_ROUTING hook.
The module returns a verdict NF_QUEUE for all ICMP pkts (and this is all it
does). I also load this module:

4. insmod myfilter.o

5. Finally I start the application: mirror.


What happens is the following:

*	When I ping the machine, the mirror application receives the ICMP
pkt (and prints "PING")
*	At the 3rd ping it should reflect the ICMP echo request, however:
*	after it has swapped the IP source and IP dest addresses and returns
the verdict ACCEPT, *nothing* seems to happen, i.e. I see now pkts
whatsoever on the network.

When I do a snoop on the workstation from which the ping was sent, I get the
following results (all ICMP messages for 3 ping requests, where 'faraday' is
the mirror machine and 'berry' is the machine from which the ping is sent):

	bash$ snoop -V -o log
	Using device /dev/le (promiscuous mode)
	79 ^C
	bash$ snoop -i log | grep ICMP
	 18   0.01108        berry -> faraday.research.kpn.com ICMP Echo
request
	 19   0.01357 faraday.research.kpn.com -> berry        ICMP Echo
reply
	 41   0.03984        berry -> faraday.research.kpn.com ICMP Echo
request
	 42   0.01134 faraday.research.kpn.com -> berry        ICMP Echo
reply
	 65   0.06830        berry -> faraday.research.kpn.com ICMP Echo
request
	 70   0.26646        berry -> faraday.research.kpn.com ICMP Echo
request
	 71   0.00988 faraday.research.kpn.com -> berry        ICMP Echo
reply

The above shows the two first pings working normally, while the third ICMP
request (line 70) remains without reply, but is also not followed by a
reflected ICMP echo request from faraday.

Any clues as to why the written pkt never shows up on the network?

All help *greatly* appreciated.

Cheers,

Herb

PS: Here's the output produced by my mirror application for the 3 pings
(part of the pkts is also dumped):

faraday$ ./mirror
---------------------------------------------------------
PING!
45  0  0 54 7b 65 40  0 fa  1 ba b4 8b 3f f1 c2 8b 3f 42 4d 
 8  0 81 f2 20 8a  0  0 38 ba 5b fe  0  3 d5 c4  8  9  a  b 

---------------------------------------------------------
PING!
45  0  0 54 7b 66 40  0 fa  1 ba b3 8b 3f f1 c2 8b 3f 42 4d 
 8  0 ff 58 20 8b  0  0 38 ba 5c  0  0  4 58 5a  8  9  a  b 

---------------------------------------------------------
PING!
45  0  0 54 7b 67 40  0 fa  1 ba b2 8b 3f f1 c2 8b 3f 42 4d 
 8  0 f0  0 20 8c  0  0 38 ba 5c  1  0  4 67 b0  8  9  a  b 

  mirrored
I have written the following pkt
45  0  0 54 7b 67 40  0 fa  1 ba b2 8b 3f 42 4d 8b 3f f1 c2 
 8  0 f0  0 20 8c  0  0 38 ba 5c  1  0  4 67 b0  8  9  a  b 

---------------------------------------------------------
PING!
45  0  0 54 7b 68 40  0 fa  1 ba b1 8b 3f f1 c2 8b 3f 42 4d 
 8  0 f8 55 20 8c  0  1 38 ba 5c  2  0  4 5f 59  8  9  a  b 



(the last ping seems to be a retry).