On 4/14/05, Valdis.Kletnieks_at_vt.edu <Valdis.Kletnieks_at_vt.edu> wrote:
> Currently, iptables doesn't seem to support that, probably to keep you from
> shooting yourself in the foot. Consider for example how fast the kernel will
> fold up if you change that first nybble of the packet from an x'4' to an x'6'
> without changing the rest of the packet to match. Suddenly, that sk_buff is
> a lot too short.. ;)
Yeah, maybe, who knows :P
Well, I've did some searching last days and found a couple ways to
achieve what I've described in my email.
One is using "DIVERT sockets" and other is the use of the "-j QUEUE"
target of iptables/netfilter. Both approaches are similar: you match a
packet using iptables to flush them to userspace, where you can mangle
the entire packet as you like and send it back to iptables, who will
put it again onto the stack.
The "-j QUEUE" approach is manipulated through the "libipq" API:
- netfilter can feed userspace using IPQUEUE:
* http://www.crhc.uiuc.edu/~grier/projects/libipq.html
- Perl:
* http://www.intercode.com.au/jmorris/perlipq/
- Python:
* http://woozle.org/~neale/src/ipqueue/
As you can see, there's already libraries written in Perl and Python
to query IPQUEUE, so the effort of writing userspace code to deal with
IP packets wiil be much more easier.
That's it =)
Cheers,
Joćo Paulo.
Received on Apr 18 2005
Intro
