Hello, I am trying to use netfilter to program my own firewall. To make a forwarding test to the local machine, I made a test program that change a certain destination IP address in the PRE ROUTING HOOK to my local machine, I changed back the source IP address in the POST ROUTING hook to the old destination address. I computed TCP and IP checksums in this hook but I still have a bad TCP checksum on the receiver. I can see in the POST ROUTING hook that my checksum was changed! Below is my code
#include <linux/module.h> #include <linux/kernel.h> #include <linux/proc_fs.h> #include <linux/list.h> #include <asm/uaccess.h> #include <linux/udp.h> #include <linux/tcp.h> #include <linux/skbuff.h> #include <linux/ip.h> #include <linux/netfilter.h> #include <linux/netfilter_ipv4.h> #include <net/ip.h> static struct nf_hook_ops nfho; static struct nf_hook_ops nfho_out; unsigned int hook_func_in(unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { u32 local = 1090627776; //my machine IP 192.168.1.65 struct iphdr *ip_header = (struct iphdr *)skb_network_header(skb); struct tcphdr *tcp_header = (struct tcphdr *)skb_transport_header(skb); unsigned int src_port = (unsigned int)ntohs(tcp_header->source); ip_header->daddr = local; //printk(KERN_INFO "PRE: saddr: %pI4 %u, daddr: %pI4, %u", &ip_header->saddr, ip_header->saddr, &ip_header->daddr, ip_header->daddr); //printk("IN saddr: %pI4 daddr: %pI4 len: %u check: %x\n", &ip_header->saddr, &ip_header->daddr, src_port, tcp_header->check); return NF_ACCEPT; } unsigned int hook_func_out(unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { struct iphdr *ip_header = (struct iphdr *)skb_network_header(skb); u32 dest = 388809389; //the old destination ip ip_header->saddr = dest; struct tcphdr *tcp_header = (struct tcphdr *)skb_transport_header(skb); tcp_header->check = 0; int len = skb->len-20; unsigned int src_port = (unsigned int)ntohs(tcp_header->source); tcp_header->check = csum_tcpudp_magic(ip_header->saddr, ip_header->daddr, len, IPPROTO_TCP, csum_partial((char *)tcp_header, len, 0)); ip_header->check = 0; ip_send_check (ip_header); //to check changes printk( "saddr: %pI4 daddr: %pI4 check: %x\n", &ip_header->saddr, &ip_header->daddr, tcp_header->check); int i; for (i=0; i<skb->len; i++) printk("%x", skb->data[i]); printk("\n"); return NF_ACCEPT; } /* Initialization routine */ int init_module() { printk(KERN_INFO "initialize kernel module\n"); /* Fill in the hook structure for incoming packet hook*/ nfho.hook = hook_func_in; nfho.hooknum = NF_INET_PRE_ROUTING; nfho.pf = PF_INET; nfho.priority = NF_IP_PRI_FIRST; nf_register_hook(&nfho); // Register the hook /* Fill in the hook structure for outgoing packet hook*/ nfho_out.hook = hook_func_out; nfho_out.hooknum = NF_INET_POST_ROUTING; nfho_out.pf = PF_INET; nfho_out.priority = NF_IP_PRI_FIRST; nf_register_hook(&nfho_out); // Register the hook return 0; } /* Cleanup routine */ void cleanup_module() { nf_unregister_hook(&nfho); nf_unregister_hook(&nfho_out); printk(KERN_INFO "kernel module unloaded.\n"); } Would you please help me, I spent 10 days working on this issue and not solved yet. Best,
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies