How to filter and intercept Linux packets by using net_dev_add() API?

自古美人都是妖i 提交于 2019-12-18 11:44:37

问题


I'm writing ethernet network driver for linux. I want to receive packets, edit and resend them. I know how to edit the packet in packet_interceptor function, but how can I drop incoming packets in this function??

#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/sock.h>

struct packet_type my_proto;

int packet_interceptor(struct sk_buff *skb,
    struct net_device *dev,
    struct packet_type *pt,
    struct net_device *orig_dev) {

    // I dont want certain packets go to upper in net_devices for further processing.
    // How can I drop sk_buff here?!

  return 0;
}

static int hello_init( void ) {
    printk(KERN_INFO "Hello, world!\n");

    my_proto.type = htons(ETH_P_ALL);
    my_proto.dev = NULL;
    my_proto.func = packet_interceptor;

    dev_add_pack(&my_proto);
    return 0;
}    

static void hello_exit(void) {
  dev_remove_pack(&my_proto);
  printk(KERN_INFO "Bye, world\n");
}

module_init(hello_init);
module_exit(hello_exit);

回答1:


You are making your module handle all ethernet packets. Linux will send packets to all matching protocol handlers. Since IP is already registered in your kernel, both your module and ip_rcv will receive all SKBs with IP headers.

You cannot change this behaviour without changing the kernel code. One possibility is to create a netfilter module instead. This way, you can intercept the packet after the ip_rcv function and drop it if you want to (in Netfilters PREROUTING hook).

Here is a small Netfilter module which I extracted from some code I had already written. This module is unfinished, but the main stuff are in place.

#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>

// Handler function
static unsigned int my_handler (
    unsigned int hook,
    struct sk_buff *skb,
    const struct net_device *in,
    const struct net_device *out,
    int (*okfn)(struct sk_buff *))
{
    return NF_ACCEPT;
// or
    return NF_DROP;
}

// Handler registering struct
static struct nf_hook_ops my_hook __read_mostly = {
    .hook = my_handler,
    .pf = NFPROTO_IPV4,
    .hooknum = (1 << NF_INET_PRE_ROUTING),
    .priority = NF_IP_PRI_FIRST // My hook will be run before any other netfilter hook
};

int my_init() {
    int err = nf_register_hook (&my_hook);
    if (err) {
            printk (KERN_ERR "Could not register hook\n");
    }
    return err;
}



回答2:


I went through the Kernel networking code (a year since I did anything inside there), and I think you should do be able to do this without leaking anything:

kfree_skb(skb);
return NET_RX_DROP;

Edit

This is done in other protocol handlers like ip_rcv and arp_rcv (last one returns 0 instead of NET_RX_DROP, but I don't think the return value matters very much). Remember not to call any other handlers if you drop the skb.

Look at the code for ip_rcv in ip.c (at the bottom): http://lxr.free-electrons.com/source/net/ipv4/ip_input.c#L375

If everything goes well, it passes the skb to Netfilter which then calls ip_rcv_finish (if it doesn't drop it). If something goes wrong, it frees the skb and returns.

Edit

If more than one protocol handler matches an SKB, the kernel will send it to all of them. When you kfree_skb() in one of the modules, the SKB will still live on in the other handlers.



来源:https://stackoverflow.com/questions/19342252/how-to-filter-and-intercept-linux-packets-by-using-net-dev-add-api

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!