How to send copied skb in netfilter hook?

simon_qwl · 10-05-2007, 01:53 AM

Hi all,
I have encountered some issues regarding to netfilter hooks. My intention is to monitor the traffic and make a skb_copy() call on the specific packets. Because i need to modify the content. After modification process, i need to send this new skb out as usual. However,i couldn't do so by calling skb_queue_head(). is there any tutorials on this subject?

Thank you very much for your hints.

orgcandman · 10-05-2007, 12:59 PM

Check out http://people.nl.linux.org/ftp/pub/a...kernelapi.html

Seems like dev_queue_xmit is the function you want?

simon_qwl · 10-05-2007, 01:20 PM

Thanks for the link,orgcandman.
As i understand, dev_queue_xmit() will put the skb into queue of network card to wait for transmitting out. does it mean the skb will skip ANY other hook points?(NF_IP_LOCAL_IN,etc),because the hook is registered in NF_IP_PRE_ROUTING.

simon_qwl · 10-06-2007, 05:51 AM

i have tried using following code as testing:

Code:

new_skb = skb_copy(old_skb, GFP_ATOMIC);
if(new_skb){
     skb_unlink(new_skb);
     skb_queue_head(old_skb->list,new_skb);
     return NF_DROP;
}
     return NF_ACCEPT;

However, the system is hung immediately when the module is inserted. something wrong with the code or it's not the way to do it?

simon_qwl · 10-06-2007, 11:18 PM

Great,problem has been solved as following:

Code:

new_skb = skb_copy(old_skb, GFP_ATOMIC);
.
.
modification process on the new_skb
.
.
if(new_skb){
     kfree_skb(*skb);
     *skb = new_skb
     return NF_ACCEPT;
}

Basically, the original *skb points to the new_skb and return NF_ACCEPT. I use another hook in NF_IP_LOACAL_IN to detect the modified packets, so it works.
However I hope there are further discussion on how to generate and insert more than one skb into list for delivery?

amir_saniyan · 04-18-2012, 05:24 AM

Quote:

Originally Posted by simon_qwl

Great,problem has been solved as following:

Code:

new_skb = skb_copy(old_skb, GFP_ATOMIC);
.
.
modification process on the new_skb
.
.
if(new_skb){
     kfree_skb(*skb);
     *skb = new_skb
     return NF_ACCEPT;
}

Basically, the original *skb points to the new_skb and return NF_ACCEPT. I use another hook in NF_IP_LOACAL_IN to detect the modified packets, so it works.
However I hope there are further discussion on how to generate and insert more than one skb into list for delivery?

Yes it works, Thanks

But I should comment kfree_skb(*skb); when I uncomment kfree_skb(*skb); my OS hangs.