Re: Hack sought
Gilad Ben-Yossef wrote: On Tue, 2002-12-03 at 00:52, Doron Shikmoni wrote: Ideally, what I'd like is to have an iptables mangle rule, which will just insert 0 into the CS field of any UDP packet that satisfies some criteria (zero is legit UDP). Can this be done without writing iptables extension modules? Or, is there a way to tell the kernel not to drop bad CS UDP packets? (short glance at some kernel code implies that short of a patch, the answer is no - but I didn't really look that hard - yet). (btw it's an old - 2.2.19 - kernel. Don't ask...). Ok, first since it's a 2.2.x kernel then you don't have iptables at all - only ipchains. Oops. You're right of course. Thanks for the correction. Second, the quickest hack I can think of (save of writing a kernel module or patching the kernel) is to write a small program that captures the packet in user space (opens a raw promiscious socket and listens for it, perhaps by using libpcap to do the really dirty work) and then injects the corrected packet back to the kernel via 'netlink'. Sounds like a good plan, which I will try. I was hoping to avoid the coding but it appears as though there's no way around it. Thanks for the help! Doron A little hairy, but it's easier to debug user space code. Hope this helps, Gilad. Thanks! Doron = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hack sought
Doron Shikmoni [EMAIL PROTECTED] writes: Second, the quickest hack I can think of (save of writing a kernel module or patching the kernel) is to write a small program that captures the packet in user space (opens a raw promiscious socket and listens for it, perhaps by using libpcap to do the really dirty work) and then injects the corrected packet back to the kernel via 'netlink'. Sounds like a good plan, which I will try. I was hoping to avoid the coding but it appears as though there's no way around it. You should keep in mind that: 1) You'll go to userland for each packet, paying in performance. I don't see how you can send only packets with bad checksum across the border: if you could, you would have a simple solution for your problem, I guess. 2) Libpcap grabs a copy of the packet, so you need to configure your firewall (ipchains, I guess) to drop everything you grab, otherwise the original packet will live on regardless of what you do to the copy in userland. If you can rely upon the kernel to drop corrupted packets (can you?) you can send only those you have corrected back, ignoring the rest. 3) Hopefully libpcap can grab the packets before they are dropped by the kernel. This should be the case, but paranoya is its own reward. 4) Instead of netlink (I am only writing this because I am not familiar with same) you can send the packet to a raw socket, telling the kernel not to rewrite the IP header. -- Oleg Goldshmidt | [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hack sought
On Tue, 2002-12-03 at 14:57, Doron Shikmoni wrote: Sounds like a good plan, which I will try. I was hoping to avoid the coding but it appears as though there's no way around it. Of course there is ;-) if you're willing to invest a little time and effort that is. There exists a wonderful project by the name of Click Modular Router which can do what you want (and much much more). It's a object oriented network packet handling engine, it can run both in user space and kernel space (!), support both BSD and Linux and one of the main authors is Robert T. Morris, yes *that* RTM ;-) I didn't suggest it out first because it does take some effort to learn to use it, but does solve your problems sans coding. Check out http://www.pdos.lcs.mit.edu/click/ and specifically the SetUDPChecksum module: http://www.pdos.lcs.mit.edu/click/doc/SetUDPChecksum.n.html Gilad. -- Gilad Ben-Yossef [EMAIL PROTECTED] http://benyossef.com Denial really is a river in Eygept. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hack sought
Oleg Goldshmidt wrote: Doron Shikmoni [EMAIL PROTECTED] writes: Second, the quickest hack I can think of (save of writing a kernel module or patching the kernel) is to write a small program that captures the packet in user space (opens a raw promiscious socket and listens for it, perhaps by using libpcap to do the really dirty work) and then injects the corrected packet back to the kernel via 'netlink'. Sounds like a good plan, which I will try. I was hoping to avoid the coding but it appears as though there's no way around it. You should keep in mind that: 1) You'll go to userland for each packet, paying in performance. I don't see how you can send only packets with bad checksum across the border: if you could, you would have a simple solution for your problem, I guess. Probably not, but can make a pretty narrow filter nevertheless (for pcap). So it should not be *too* painful. 2) Libpcap grabs a copy of the packet, so you need to configure your firewall (ipchains, I guess) to drop everything you grab, otherwise the original packet will live on regardless of what you do to the copy in userland. If you can rely upon the kernel to drop corrupted packets (can you?) you can send only those you have corrected back, ignoring the rest. Uhm, very true in general case, not in this particular one - since (luckily), the kernel's gonna drop this packet right when it gets intp the UDP layer (bad checksum remember - this was the problem to begin with). If I handle only broken CS packets - injecting them back in should not be a problem. 3) Hopefully libpcap can grab the packets before they are dropped by the kernel. This should be the case, but paranoya is its own reward. True :-) and it can. Thanks again for all the help! Doron = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hack sought
On 3 Dec 2002, Oleg Goldshmidt wrote: [..snip..] 1) You'll go to userland for each packet, paying in performance. I don't see how you can send only packets with bad checksum across the border: if you could, you would have a simple solution for your problem, I guess. 2) Libpcap grabs a copy of the packet, so you need to configure your firewall (ipchains, I guess) to drop everything you grab, otherwise the original packet will live on regardless of what you do to the copy in userland. If you can rely upon the kernel to drop corrupted packets (can you?) you can send only those you have corrected back, ignoring the rest. actualy, netlink can be used to do both sides of the task. one can write a netlink program that will see all packets, find those with the broken CS field, fix only this field, and tell the kernel to move the packet onwards. all this - wihtout copying the full packet to user space - only its header. i don't remember the full details, but as far as i saw, it is do-able, and is not _that_ hard. this has an advantage of making sure the packets don't go out-of-order - while if you grab them using pcap, the packets _may_ go out-of-order - it shouldn't hurt functionality (after all, proper UDP-based applications need to be able ot handle out-of-order packets) - but it may hurt performance. using this solution, btw, will easily handle a sustained 10MBps link on a 500MHz p-3, even with full packet copying - and is likely to sustain a much higher bandwidth (especially that you don't copy all pakcets to user-space in this way). note: it could be that pcap uses BSD filters to filter the packets already inside the kernel, which might make it give better performance. -- guy For world domination - press 1, or dial 0, and please hold, for the creator. -- nob o. dy = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Hack sought
Hi all, I'm having this small but nagging problem and I thought I might find some enlightment here. The essential part of the problem description (you don't want to hear the whole story...) is this: I have a client machine which sends UDP datagrams to a Linux based server. Under some specific circumstances, some box in the middle (upon which I have no control) mangles the UDP checksum, so the packet reaches the server with incorrect checksum, and hence conveniently and silently discarded. Assume, for the moment, that I have no control over the path, so the packet *does* arrive broken. And assume further, that it *is* intact (except for the CS), and also assume that I do want it to be accepted at the server. I'm seeking a QD hack to help this happen. (yeah, I know, this is counter-RFC, don't tell anyone...). Ideally, what I'd like is to have an iptables mangle rule, which will just insert 0 into the CS field of any UDP packet that satisfies some criteria (zero is legit UDP). Can this be done without writing iptables extension modules? Or, is there a way to tell the kernel not to drop bad CS UDP packets? (short glance at some kernel code implies that short of a patch, the answer is no - but I didn't really look that hard - yet). (btw it's an old - 2.2.19 - kernel. Don't ask...). Thanks! Doron = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hack sought
On Tue, 2002-12-03 at 00:52, Doron Shikmoni wrote: Ideally, what I'd like is to have an iptables mangle rule, which will just insert 0 into the CS field of any UDP packet that satisfies some criteria (zero is legit UDP). Can this be done without writing iptables extension modules? Or, is there a way to tell the kernel not to drop bad CS UDP packets? (short glance at some kernel code implies that short of a patch, the answer is no - but I didn't really look that hard - yet). (btw it's an old - 2.2.19 - kernel. Don't ask...). Ok, first since it's a 2.2.x kernel then you don't have iptables at all - only ipchains. Second, the quickest hack I can think of (save of writing a kernel module or patching the kernel) is to write a small program that captures the packet in user space (opens a raw promiscious socket and listens for it, perhaps by using libpcap to do the really dirty work) and then injects the corrected packet back to the kernel via 'netlink'. A little hairy, but it's easier to debug user space code. Hope this helps, Gilad. Thanks! Doron = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] -- Gilad Ben-Yossef [EMAIL PROTECTED] http://benyossef.com Geeks rock bands cool name #8192: RAID against the machine = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]