All geek questions in one place

Linux kernel module: how to reload packages that the kernel treats as NF_STOLEN?

Good evening. Posting a newbie to this site is a grateful reader for me who learned a lot from this forum for quite some time. This is the first time that I encounter a problem that I cannot solve on my own, or with the help of records that already exist in Stackoverflow or any other resource that the Internet offers.

I hope you want to help me again (and from now on I can help others too, because I feel that I have grown to such an extent that I can start writing here).

Problem:

I am working on a kernel module. The goal is to steal incoming packets with a specific source IP address from the kernel using the PRE_ROUTING netfilter hook. Only TCP packets are of interest to him.

Currently, hook ony reloads the packages into normal kernel package processing routines via dev_queue_xmit () and returns NF_STOLEN for the package to the kernel. Packets from other source addresses are not reinstalled, but are ignored, returning NF_ACCEPT for them instead of NF_STOLEN.

The kernel module also stores the TCP number for each stolen packet to determine if the incoming packet from the mentioned IP is new or has already been changed and re-ported through dev_queue_xmit (), as these packets cross the hook again.

What else works:

  • The module is loading
  • Hook registered
  • A hook is called for each package.
  • The hook can determine if the IP address of the IP packets is the IP I'm looking for.
  • Hook returns NF_ACCEPT for packets with a different source address
  • Packets with the source address are re-entered, and NF_STOLEN is returned for them.
  • Reintegrated packets cross the hook again and are ignored.

Problem

When I visit the IP address with my browser after loading the module, my IP stack seems to crash. I can no longer ping any address. The module registers that it encountered packets from the corresponding IP address, and that it demanded them, and that it discovered an already known packet afterwards (so everything seems fine), but still: there is no proper connection to the site / any other address.

Here is the hook code:

static unsigned int hook(unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { struct iphdr *iph; struct tcphdr *tcph; unsigned int i; if(!skb) return NF_ACCEPT; iph = (struct iphdr *)skb_network_header(skb); if(!iph || !(iph->saddr) || iph->saddr != *(unsigned int*)suspicious_ip) return NF_ACCEPT; tcph = (struct tcphdr *)skb_transport_header(skb); for(i=0; i < number_of_known_packets; i++) { if(tcph->seq == *(already_known_packets+i)) { debug("Already known packet"); return NF_ACCEPT; } } debug("New packet"); printk("seq: %u\n", tcph->seq); if((number_of_known_packets + 1) * 4 >= memory_allocated_for_known_packets) imba_realloc(500*4); *(already_known_packets+number_of_known_packets++) = tcph->seq; debug("Requeuing packet"); // once the requeuing is working proper, I want to manipulate the payload as well printk("Result: %i", dev_queue_xmit(skb)); return NF_STOLEN; }

How the hook is registered:

 static struct nf_hook_ops nfho; int init_module(void) { debug("module loaded"); already_known_packets = kmalloc(memory_allocated_for_known_packets, GFP_KERNEL); debug("initial memory allocated"); nfho.hook = hook; nfho.hooknum = NF_INET_PRE_ROUTING; nfho.pf = PF_INET; nfho.priority = 1; nf_register_hook(&nfho); debug("hook registered"); return 0; }

Syslog:

 Sep 21 13:11:43 linux kernel: [ 3298.937902] [PACKET PROXY] module loaded Sep 21 13:11:43 linux kernel: [ 3298.937907] [PACKET PROXY] initial memory allocated Sep 21 13:11:43 linux kernel: [ 3298.937931] [PACKET PROXY] hook registered Sep 21 13:11:49 linux kernel: [ 3305.415404] [PACKET PROXY] New packet Sep 21 13:11:49 linux kernel: [ 3305.415410] seq: 1538346824 Sep 21 13:11:49 linux kernel: [ 3305.415412] [PACKET PROXY] Requeuing packet Sep 21 13:11:49 linux kernel: [ 3305.415430] Result: 0 Sep 21 13:11:49 linux kernel: [ 3305.415440] [PACKET PROXY] New packet Sep 21 13:11:49 linux kernel: [ 3305.415441] seq: 618234741 Sep 21 13:11:49 linux kernel: [ 3305.415442] [PACKET PROXY] Requeuing packet Sep 21 13:11:49 linux kernel: [ 3305.415447] Result: 0 Sep 21 13:11:49 linux kernel: [ 3305.421440] [PACKET PROXY] New packet Sep 21 13:11:49 linux kernel: [ 3305.421452] seq: 2129598066 Sep 21 13:11:49 linux kernel: [ 3305.421458] [PACKET PROXY] Requeuing packet Sep 21 13:11:49 linux kernel: [ 3305.421477] Result: 0 Sep 21 13:11:49 linux kernel: [ 3305.427449] [PACKET PROXY] New packet Sep 21 13:11:49 linux kernel: [ 3305.427456] seq: 2327127721 Sep 21 13:11:49 linux kernel: [ 3305.427458] [PACKET PROXY] Requeuing packet Sep 21 13:11:49 linux kernel: [ 3305.427466] Result: 0 Sep 21 13:11:49 linux kernel: [ 3305.427470] [PACKET PROXY] New packet Sep 21 13:11:49 linux kernel: [ 3305.427471] seq: 1333567182 Sep 21 13:11:49 linux kernel: [ 3305.427473] [PACKET PROXY] Requeuing packet Sep 21 13:11:49 linux kernel: [ 3305.427476] Result: 0 Sep 21 13:11:49 linux kernel: [ 3305.427494] [PACKET PROXY] New packet Sep 21 13:11:49 linux kernel: [ 3305.427502] seq: 2650236943 Sep 21 13:11:49 linux kernel: [ 3305.427506] [PACKET PROXY] Requeuing packet Sep 21 13:11:49 linux kernel: [ 3305.427514] Result: 0 Sep 21 13:11:49 linux kernel: [ 3305.427522] [PACKET PROXY] New packet Sep 21 13:11:49 linux kernel: [ 3305.427533] seq: 444387468 Sep 21 13:11:49 linux kernel: [ 3305.427534] [PACKET PROXY] Requeuing packet Sep 21 13:11:49 linux kernel: [ 3305.427539] Result: 0 Sep 21 13:11:49 linux kernel: [ 3305.427544] [PACKET PROXY] New packet Sep 21 13:11:49 linux kernel: [ 3305.427545] seq: 1405773113 Sep 21 13:11:49 linux kernel: [ 3305.427547] [PACKET PROXY] Requeuing packet Sep 21 13:11:49 linux kernel: [ 3305.427550] Result: 0 Sep 21 13:11:50 linux kernel: [ 3306.413448] [PACKET PROXY] Already known PACKET Sep 21 13:11:50 linux kernel: [ 3306.413641] [PACKET PROXY] Already known PACKET Sep 21 13:11:50 linux kernel: [ 3306.414153] [PACKET PROXY] Already known PACKET Sep 21 13:11:50 linux kernel: [ 3306.414989] [PACKET PROXY] Already known PACKET Sep 21 13:11:50 linux kernel: [ 3306.415102] [PACKET PROXY] Already known PACKET Sep 21 13:11:50 linux kernel: [ 3306.417880] [PACKET PROXY] Already known PACKET Sep 21 13:11:50 linux kernel: [ 3306.418065] [PACKET PROXY] Already known PACKET Sep 21 13:11:50 linux kernel: [ 3306.418134] [PACKET PROXY] Already known PACKET Sep 21 13:11:50 linux kernel: [ 3306.433788] [PACKET PROXY] New packet Sep 21 13:11:50 linux kernel: [ 3306.433812] seq: 2146375282 Sep 21 13:11:50 linux kernel: [ 3306.433816] [PACKET PROXY] Requeuing packet Sep 21 13:11:50 linux kernel: [ 3306.433850] Result: 0 Sep 21 13:11:51 linux kernel: [ 3306.441424] [PACKET PROXY] Already known PACKET Sep 21 13:11:51 linux kernel: [ 3306.441587] [PACKET PROXY] New packet Sep 21 13:11:51 linux kernel: [ 3306.441596] seq: 3958642290 Sep 21 13:11:51 linux kernel: [ 3306.441610] [PACKET PROXY] Requeuing packet Sep 21 13:11:51 linux kernel: [ 3306.441634] Result: 0 Sep 21 13:11:51 linux kernel: [ 3306.441646] [PACKET PROXY] New packet Sep 21 13:11:51 linux kernel: [ 3306.441648] seq: 1476007538 Sep 21 13:11:51 linux kernel: [ 3306.441652] [PACKET PROXY] Requeuing packet Sep 21 13:11:51 linux kernel: [ 3306.441660] Result: 0 Sep 21 13:11:51 linux kernel: [ 3306.443131] [PACKET PROXY] New packet Sep 21 13:11:51 linux kernel: [ 3306.443139] seq: 3288274546 Sep 21 13:11:51 linux kernel: [ 3306.443148] [PACKET PROXY] Requeuing packet Sep 21 13:11:51 linux kernel: [ 3306.443194] Result: 0 Sep 21 13:11:51 linux kernel: [ 3306.443226] [PACKET PROXY] New packet Sep 21 13:11:51 linux kernel: [ 3306.443231] seq: 788862834 Sep 21 13:11:51 linux kernel: [ 3306.443241] [PACKET PROXY] Requeuing packet Sep 21 13:11:51 linux kernel: [ 3306.443258] Result: 0 Sep 21 13:11:51 linux kernel: [ 3306.443276] [PACKET PROXY] New packet Sep 21 13:11:51 linux kernel: [ 3306.443278] seq: 2601129842 Sep 21 13:11:51 linux kernel: [ 3306.443281] [PACKET PROXY] Requeuing packet Sep 21 13:11:51 linux kernel: [ 3306.443286] Result: 0 Sep 21 13:11:51 linux kernel: [ 3306.443294] [PACKET PROXY] New packet Sep 21 13:11:51 linux kernel: [ 3306.443295] seq: 2131695474 Sep 21 13:11:51 linux kernel: [ 3306.443299] [PACKET PROXY] Requeuing packet Sep 21 13:11:51 linux kernel: [ 3306.443305] Result: 0 Sep 21 13:11:51 linux kernel: [ 3306.443313] [PACKET PROXY] New packet Sep 21 13:11:51 linux kernel: [ 3306.443314] seq: 3943962482 Sep 21 13:11:51 linux kernel: [ 3306.443317] [PACKET PROXY] Requeuing packet Sep 21 13:11:51 linux kernel: [ 3306.443320] Result: 0 Sep 21 13:11:57 linux kernel: [ 3312.685399] [PACKET PROXY] New packet Sep 21 13:11:57 linux kernel: [ 3312.685425] seq: 2667014159 Sep 21 13:11:57 linux kernel: [ 3312.685430] [PACKET PROXY] Requeuing packet Sep 21 13:11:57 linux kernel: [ 3312.685463] Result: 0
+6
source share
1 answer

I found an easier solution for the goal I was aiming for. A solution that does not require a special kernel module.

In addition, after some research, NF_STOLEN packets cannot simply be re-entered. To change packages, returning NF_STOLEN is not even required.

You can simply change the payload, adapt the checksum and THEN to return NF_ACCEPT, since the sk_buffer that you access in the hook will be reused by the kernel during further processing of the package.

0
source

Source: https://habr.com/ru/post/975602/

More articles:


All Articles