我有以下功能,通过原始套接字发送数据包。
#include <unistd.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include "pkt-types.h"
#include "pkt-log.h"
#include "pkt-utils.h"
int
send_packet_raw (void *data, int size)
{
log_message (LOG_DEBUG, " inside send_packet_raw");
int sd;
struct iphdr *iph = (struct iphdr *) data;
struct udphdr *udph = (struct udphdr *) (data + sizeof (struct ip));
struct sockaddr_in sin;
// needed for notify kernel to not to build header for this
int one = 1;
const int *val = &one;
// creating a socket
if ((sd = socket (PF_INET, SOCK_RAW, IPPROTO_UDP)) < 0)
{
log_message (LOG_ERROR, " problem creating a socket");
return EXITCODE_SOCK_CREATION_FAILED;
}
// setting address family
sin.sin_family = AF_INET;
// setting port
sin.sin_port = udph->dest;
// setting ip
sin.sin_addr.s_addr = iph->daddr;
// notifying kernel do not fill up the packet structure.
if (setsockopt (sd, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)
{
log_message (LOG_ERROR, "error notifying kernel about raw socket");
return EXITCODE_SOCK_KERN_NOTIF_FAILED;
}
/* setting socket option to use MARK value */
if (setsockopt (sd, SOL_SOCKET, SO_MARK, val, sizeof (one)) < 0)
{
log_message (LOG_ERROR, "error notifying kernel about MARK");
return EXITCODE_SOCK_MARK_FAILED;
}
#ifdef CHECKSUM
/* compute checksum */
udph->check = udp_checksum (data + IP_OFFSET, size - IP_OFFSET, iph->saddr, iph->daddr);
/* testing purposed */
#else
udph->check = 0x00;
#endif
/* dscp 101000 means express forwarding */
if (sendto (sd, /* our socket */
data, /* data to send */
size, /* total length of our ip packet */
0, /* routing flag, normally always zero */
(struct sockaddr *) &sin, /* socket addr */
sizeof (sin)) < 0)
{
log_message (LOG_ERROR, "sending over raw socket failed");
return EXITCODE_SOCK_SEND_FAILED;
}
else
{
/* shutdown the socket */
if(shutdown (sd, 2)) /* shutdown ok */
return EXITCODE_OK;
}
}
现在我从libnetfilter_queue的{nfq_set_verdict2()设置标记:http://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__Queue.html
int nfq_set_verdict2 ( struct nfq_q_handle * qh,
u_int32_t id,
u_int32_t verdict,
u_int32_t mark,
u_int32_t data_len,
const unsigned char * buf
)
nfq_set_verdict2 - like nfq_set_verdict, but you can set the mark.
Parameters:
qh Netfilter queue handle obtained by call to nfq_create_queue().
id ID assigned to packet by netfilter.
verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)
mark mark to put on packet
data_len number of bytes of data pointed to by buf
buf the buffer that contains the packet data
当我从netfilter_queue收到数据包时,我会做以下事情:
nfq_set_verdict(..,NF_DROP,MARK,...);
process_packet();
此process_packet()调用send_packet_raw()。
相关的iptable规则:
$iptables -t mangle -A PREROUTING -m mark --mark 0xa -j ACCEPT
$iptables -t mangle -A PREROUTING -p udp --dport $PORT -j NFQUEUE
$iptables -t mangle -A OUTPUT -m mark --mark 0xa -j ACCEPT
$iptables -t mangle -A OUTPUT -p udp --sport $PORT -j NFQUEUE
我还提出了一些-j LOG规则来查看数据包是否实际匹配。但由于没有显示任何日志条目,因此似乎没有数据包输出或进入。无法理解如何在这里找到问题。
答案 0 :(得分:1)
不完全确定问题是什么,但
nfq_set_verdict(..,NF_DROP,MARK,...);
process_packet();
看起来很糟糕。在处理数据包之前,我不会调用NF_DROP 。 我已经编写了几个隧道程序,我首先处理数据包,把它放在我的缓冲区中,问题是NF_DROP。在此之后,我可以使用原始套接字从缓冲区重新发出数据包。所以:
process_packet();
nfq_set_verdict(..,NF_DROP,MARK,...);
会更好。至少在发布判决之前复制数据包数据。
答案 1 :(得分:0)