Stealing IP packet in kernel space and reinjecting later

Brad Chapman kakadu_croc@yahoo.com
Mon, 13 Aug 2001 12:29:23 -0700 (PDT) 

Mr. Masson,

--- Herve Masson <herve@mindstep.com> wrote:
> 
> > Uggh. You have to do EVERYTHING in kernel space? Eeewww. Have a look
> > at Rusty's Unreliable Guide to Kernel Hacking and you'll see why that's
> bad.
> 
> Yes, I know, but what I need to do in kernel space is relatively tiny
> and safe. It may be good to move it in userland, but I've others constraints
> I cannot play with :-(

	Read Rusty's guide anyway; it will help you understand how to keep
your code tiny and safe ;-)

> 
> > > I was also thinking of another approach that would allow any netfilter
> > > hook code to "obtain" the nf_info structure and store it until it needs
> > > to reinject the packet later. In that case, it would use nf_reinject just
> > > like the regular queuing code.
> >
> > IDGT. What do you mean by "obtain?" Are you talking about cross-
> > function variable sharing where a netfilter hook spins or schedule()s until
> a
> > queue handler gets an nf_info for the same packet the hook was passed?
> 
> My explaination was pretty unclear, sorry, I'll try to complete it. The goal
> is to stay away form the current queuing mecanism (and leave it available
> for usual purpose) while using the way it handle packet reinjection.
> 
> I was thinking of a function (I'm actually experimenting it) that allocate
> and
> populate a nf_info structure. I would call this function from inside the hook
> code itself:
>

	Ahhh. So you want to get packets in a netfilter hook, create
arbitrary nf_info structures and then re-inject them after the hook drops
the packet on the floor?

	Ummm.....why would you want to do that? Are you trying to do
your packet mangling in kernelspace because you can't use the QUEUE target?
i.e. you receive packet from netfilter hook, you return NF_STOLEN, you
mangle it, and then you use your nf_getinfo() function to build an nf_info
so you can call nf_reinject()?

	This sounds like way too much trouble. Too bad about the userspace
requirement, because I would simply suggest that you use the libipqmpd
library/daemon provided by Harald Welte. Basically the daemon process ipqmpd
uses libipq to connect to the ip_queue module, and then libipqmpd allows
multiple registrars to ipqmpd, which receives packets from ip_queue and
distributes them.

> 
> Hervé Masson
> 

Brad


=====
Brad Chapman

Permanent e-mail: kakadu_croc@yahoo.com
Current e-mail: kakadu@adelphia.net

Reply to the address I used in the message to you,
please!

__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/