Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?"
• In reply to: Valdis.Kletnieks_at_vt.edu: "Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?"
• Next in thread: Manu Garg: "Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?"
• Reply: Manu Garg: "Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 15 Apr 2005 20:12:24 -0300
To: "Valdis.Kletnieks@vt.edu" <Valdis.Kletnieks@vt.edu>

On 4/14/05, Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> wrote:

> Currently, iptables doesn't seem to support that, probably to keep you from
> shooting yourself in the foot. Consider for example how fast the kernel will
> fold up if you change that first nybble of the packet from an x'4' to an x'6'
> without changing the rest of the packet to match. Suddenly, that sk_buff is
> a lot too short.. ;)

Yeah, maybe, who knows :P

Well, I've did some searching last days and found a couple ways to
achieve what I've described in my email.

One is using "DIVERT sockets" and other is the use of the "-j QUEUE"
target of iptables/netfilter. Both approaches are similar: you match a
packet using iptables to flush them to userspace, where you can mangle
the entire packet as you like and send it back to iptables, who will
put it again onto the stack.

The "-j QUEUE" approach is manipulated through the "libipq" API:

- netfilter can feed userspace using IPQUEUE:
  * http://www.crhc.uiuc.edu/~grier/projects/libipq.html

- Perl:
  * http://www.intercode.com.au/jmorris/perlipq/

- Python:
  * http://woozle.org/~neale/src/ipqueue/

As you can see, there's already libraries written in Perl and Python
to query IPQUEUE, so the effort of writing userspace code to deal with
IP packets wiil be much more easier.

That's it =)

Cheers,

Joćo Paulo.

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?"
• In reply to: Valdis.Kletnieks_at_vt.edu: "Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?"
• Next in thread: Manu Garg: "Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?"
• Reply: Manu Garg: "Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Doubts with iptables (or ipchains) ... With iptables use the state module. ... > done with ipchains (using some alternative ... > of the connection would protect my LAN? ... Why would 'a packet' be 52 bytes? ... (comp.os.linux.security) iptables: state & forward confusion ... $iptables -F -t mangle ... # set a default policy to allow established & related ... packet forwarded to eth1 or eth2...accept those that are explicitly ... forwarded say for outbound web requests and returning responses? ... (comp.os.linux.security) iptables: state & forward confusion ... $iptables -F -t mangle ... # set a default policy to allow established & related ... packet forwarded to eth1 or eth2...accept those that are explicitly ... forwarded say for outbound web requests and returning responses? ... (comp.os.linux.security) Re: iptables: blocking network access for certain UIDs gives error. ... > you're familiar with iptables. ... > rule will match something using the owner module, ... > "stealthing" is a complete waste of time, I wouldn't DROP the packet ... (Fedora) Re: Any way to automatically change arbitrary headers of IP packets on-the-fly? ... > without changing the rest of the packet to match. ... packet using iptables to flush them to userspace, ... - netfilter can feed userspace using IPQUEUE: ... there's already libraries written in Perl and Python ... (Vuln-Dev)