Hi!

I have created a virtual network device called im0 by writing a kernel module. The device is not associated to any hardware so in order for it to receive any data, the data must be forwarded from some other device such as eth0 or similar.

I was thinking about using netfilter/iptables to forward ALL traffic recieved at eth0 to im0, but I'm having some problems setting up iptables ;-)

I've read a bunch of guides for iptables, but I guess my scenario is kinda special. Can somebody give some simple iptable rules for forwarding ALL traffic from eth0 to im0?

Thanks!

Interesting idea. Not sure netfilter iptables can understand im0. I know iptables does not understand alias IP like eth0:0. So one has to use the IP instead of eth0:0 with iptable commands. If you can assign it an IP then that might work. Other thought is maybe you can create it as eth1 or somehow link im0 to eth1.

Brian1

Hello heltendk,

I think the proper idea to make 'im0' work is to create a virtual adapter 'eth0:0' and then link it to 'im0'. After that you can use the NAT feature of iptables to forward the traffic destined for 'eth0' to 'eth0:0'. For that you can use the following command.

You would need the modules 'iptable_nat' and 'ip_conntrack' for NATing.

# iptables -t nat -A PREROUTING -d 'IP of eth0' -p tcp -j DNAT --to 'IP of eth0:0'

If you are specific on the data coming in onto a port, then you can use the '-d' switch and specify the port number.

I hope this clarifies your problem. Please reply if anything interesting happens.

Thanks....

Thanks for your replies!

I had to take another approach, since virtual devices have problems receiveing packets :-P Devices associated to some hardware receives an interrupt when data is available.

Instead I created a hook to netfilter from my virtual device, so that each time a packet enters the kernel, I can steal it and modify it, so it appears to originate from the virtual device (im0).

I need to steal packets from multiple devices (wlan0, bsl0, ...) and it actually works quite well now :-)

is it possbible to let me know how to modify those packets?
i have tried many times but no luck. even ping didn't work...


something happened but i dont know why, e.g.
sb_new -> protocol = eth_type_trans(sb_new, vii_dev), the return is 43200 !!! etc...
thanks in advanced....

i have been trying to write a virtual interface like yours but no luck. what i did is
(1) get the packet from netfilter. simply use the hook_func
(2) make a copy of the coming sk_buff to a new sk_buff sb_new(sb is the skbuff from the netfilter). using dev_alloc_skb, memcpy( skb_put(sb_new,sb->len), sb->data,sb->len),assign dev( the virtual interface name), and eth_type_trans(sb_new, virtual_interface_name). but it does't work!!!


i am so frustrated.

could you please help me to figure out where is the problem. it would be a great help if you can give me part of your code.

thank you so much.

seems problem solved, not 100% sure yet. the key point is the rebuild of the header. and even eth_type_trans returns a weird value, it still works... under investigation...

it turned out the statement above is not correct.........
i have made sure all addresses are correct, and i have printed out all of them, it should works. BUT, it doesn't. the computer became very slow and it seems it is doning something inside and eats up most of the CPU time. don't know the reason. who knows any hint. please drop me one or two lines. thank you so much.

I have question about your hooking. I have a similar requriement whereby i have a virtual device sitting on top of two physical driers (eth0\1). Now the system is running in bridged mode whereby i want the bridge to attach to my virtual adapters (a, b) which are in turn attached to the physcial drivers for transmission. I dont want the brdige to even know about the real eth0/1. Ive been looking deep into the kernel code and it seems i have a similar issue as yourself. How can i force packets coming inbound from eth0/1 to be forwarded to my virtual adapters, so that the brdige functoins properly in tx/rx directions? I was thinking of using:

.hook = function,
87 .owner = THIS_MODULE,
88 .pf = PF_BRIDGE,
89 .hooknum = NF_BR_BROUTING ,
90 .priority = NF_BR_PRI_FIRST,

which is a nice hook that can intercept packets before they reach the bridge ports. However looking at dev.c netif_receive_skb() it seems the bridge will always get a packet before any netfilter hook, however inside the bridge frame handling code it will actually process all items in NF_BR_BROUTING chain first, so i can intercept it there and do whatever i need.

I was also thinking of using the divert_frame function which can essentially process a skb before it even reaches the bridge but it seems to not offer any substantial advantages.

All in all, these solutions allow me to hook it and see the skb, and what i need even before my bridge sees it but my problem is a little bit different. I just want have all tx/rx traffic go through my virtual interfaces because of the special conditions a bridge poses. ; namely the bridge requires its slave interfaces to do both tx/rx and attaching strictly tx virtual if(s) to the bridge handles tx fine, however the rx is another story. All packets arriving on the physical boards seem to enter a black hole because they have nowhere to go (there is no ip routing whatsoever due to a bridge setup, none of the physical and virtual ifs have ip addresses, there is only the bridge).

Too much rambling, but can you offer some insight into a good solution for having virtual adapters "masking" the physical adapters from a bridge so that i can shape traffic in all directions on the bridged host from both NIC cards via my virtual adapters while hidhing the presence of the eth0/1 completely from the bridge.


Thanks

Jay