Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?

From: Joćo Paulo Caldas Campello (protecao_at_gmail.com)
Date: 04/16/05

  • Next message: Mel Drews: "re: Mail Server problem / query" 
    Date: Fri, 15 Apr 2005 20:32:45 -0300
To: Kary Rogers <kdr7@msstate.edu>

    On 4/13/05, Kary Rogers <kdr7@msstate.edu> wrote:

    Kary,

    > I think you can do this with divert sockets. I've used divert sockets
    > on FreeBSD and MacOS X to change TCP flags. There's a how-to for
    > linux:
    > http://www.faqs.org/docs/Linux-mini/Divert-Sockets-mini-HOWTO.html

    Very nice. I've read the documentation and it seems easy. Thanks a lot.

    Some guys provided me a lot of links, including documentation of the
    "libipq" API and libraries written in Perl and Python, so it will be
    much more easier to write userspace code to deal with the IP packets
    and flush it back to netfilter, who will bring back the packet to its
    normal flow.

    Thanks to all the guys who helped me, either pointing some links and
    documentation or even just discussing the topic.

    Some other useful links:

    * IP QUEUE*:
    - netfilter can feed userspace using IPQUEUE:
       * http://www.crhc.uiuc.edu/~grier/projects/libipq.html
    - Perl:
       * http://www.intercode.com.au/jmorris/perlipq/
    - Python:
       * http://woozle.org/~neale/src/ipqueue/

    The "DIVERT sockets" and "-j QUEUE" target approaches are similar: you
    can use iptables' rules to match some packets and flush them to
    userspace, where you can mangle the entire IP packet as you like and
    send it back to netfilter, thus continuing their normal flow onto the
    stack.

    I think now it'll be much easier to address this problem, either using
    DIVERT sockets or the IPQUEUE libraries for Perl and Python.

    Thanks again and cheers,

    Joćo Paulo.

  • Next message: Mel Drews: "re: Mail Server problem / query"

    Relevant Pages

    • Local Netfilter / IPTables IP Queue PID Wrap Flaw
      ... an experimental IP packet queuing feature is ... modules and a userspace library which allow userspace mediation and ... NET_ADMIN capability) to process packets from the kernel. ... to the associated kernel module, ...
      (Bugtraq)
    • Re: packet filter : official documentation not enought, questions remain
      ... >>different than NetFilter). ... Yes I have well read and understood that the packets was natted first ... > kernel needs to remember states for to omit ruleset for known connections ... Yes it is very usefull, ...
      (comp.unix.bsd.openbsd.misc)
    • [RHSA-2002:086-05] Netfilter information leak
      ... Netfilter can leak information about how port forwarding ... Linux's firewall configuration tools use "ipchains," and those ... causes the system to generate an ICMP error message, ... the incorrect ICMP packets may be dropped by other intervening ...
      (Bugtraq)
    • Re: [DRIVER SUBMISSION] DRBD wants to go mainline
      ... Kthreads disallow all signals by default, as they should, and you really shouldn't need to write any logic to handle or> do-certain-things-on-seeing a signal in a well designed kernel thread. ... When your receiving thread gets data it takes appropriate locks and processes it, then releases the locks and goes back to waiting for packets. ... The pool of IO-generating threads (IE: What would ordinarily be userspace) ...
      (Linux-Kernel)
    • Bug in Linux 2.4 / iptables MAC match module
      ... MAC match module does not match small packets ... Apply the attached patch from Harald Welte, Netfilter core ... Netfilter is iptables, a generic structure for allowing firewall rules to ...
      (Bugtraq)