Wondering why this queue handler doesn't work
Alexander Demenshin
aldem-nf@aldem.net
Tue, 25 Jul 2000 01:03:02 +0200
On Mon, Jul 24, 2000 at 06:13:01PM +0200, Alexander Demenshin wrote:
> So here you have to supply IP packet, not packet received from kernel
> (which contains a little bit more information and does not start with
> IP packet). You have to:
>
> > if (ipq_set_verdict(qh, qpkt->packet_id, NF_ACCEPT, qpkt->data_len, iph) < 0) {
One more thing... You have to recalculate (or just modify in some way; though
I am not sure it will be recalculated by kernel on interfaces other than local)
checksum field on modified packet (if it is not changed it will not be
modified when sent back to kernel). I did like this:
/* Some basic magic: mask out middle part of address
* (so 127.x.x.n will become 127.0.0.n and so on;
* but please keep in mind that here is no check for
* 127.* so be careful :). Mangling is not performed
* if we are not in PREROUTING hook.
* And last: if checksum is NOT modified packet will
* be sent back _unaltered_! (Damn! I hate to calculate
* checksums!)
*/
if (qpkt->hook == 0) {
/* Yes, yes, I know that there is no need to ntohl() here
* but I like to be as accurate as possible :)
*/
iph->saddr &= ~ntohl(0x00ffff00);
iph->daddr &= ~ntohl(0x00ffff00);
/* Hmm... Just [semi?] random value :) */
iph->check = 0x1122;
}
Then, when I tried to ping 127.1.1.1 and got reply from 127.0.0.1 - all was fine
with rule:
iptable -t mangle -I PREROUTING -d 127.1.1.1 -j QUEUE
Concerning typecasting - you just can (void *)iph and that's all.
-- Sometimes I've to look into sources... ---
/Al