Help in netfilter kernel module

Help in netfilter kernel module

[Daryl ong]

[-- Attachment #1: Type: text/plain, Size: 884 bytes --]

Hi
   i am a new developer in this netfilter module.  i am developing a kernel module on a rehat linux 8 and using iptables v1.2.6a.  i came across a problem when i want to kfree_skb(skb).  When i compile my source code with this command: gcc -march=i486 -03 -D__KERNEL__ -DLINUX -DMODULE -DMODVERSIONS -I/lib/modules/linux/build/linclude -c test.c test.o, it compiles with no error.  But when i try to insmod test.o.  it prompts me an error with test.o: unresolved symbol __kfree_skb.  
 
i have try to use NF_DROP to drop the packet if it doesnt match what i want to filter away.  But as netfilter currently didnt filter for PF_PACKET, my packet is able to go up to application layer.  So i intended to use kfree_skb but encounter the error.  Please tell me if there is any solutions.  Thank you.
 
Regards,
Daryl

 Yahoo! Photos
- A free party for the most "shiok" photo. Join now!

[-- Attachment #2: Type: text/html, Size: 1317 bytes --]

Re: Help in netfilter kernel module

[Henrik Nordstrom]

On Thu, 16 Oct 2003, Daryl ong wrote:

>    i am a new developer in this netfilter module.  i am developing a
> kernel module on a rehat linux 8 and using iptables v1.2.6a.  i came
> across a problem when i want to kfree_skb(skb).

> i have try to use NF_DROP to drop the packet if it doesnt match what i
> want to filter away.  But as netfilter currently didnt filter for
> PF_PACKET, my packet is able to go up to application layer.  So i
> intended to use kfree_skb but encounter the error.  Please tell me if
> there is any solutions.  Thank you.

If you want to drop a packet from netfilter you MUST NF_DROP it.  Freeing
it with kfree_skb won't help, and if done carelessly will really crash
things as the kernel expects the skb reference to be there.

I do not think you can filter PF_PACKET sockets using netfilter. These get 
the packet very early in the processing chain while netfilter operates 
at the IPv4/IPv6 layers.

In netfilter you can

a) Drop the packet via NF_DROP. This also terminates the session if you
are using conntrack.

b) Replace/modify the packet, making further processing see another
packet. See for example ipt_TCPMSS.c for a simple example of how to
replace a packet (this is a iptables module, but the same rules in how to
replace/modify a packet applies to a netfilter module)

c) Steal the packet, stopping further processing of this packet without 
terminating the session. (NF_STOLEN verdict)

In all three cases I think the original packet is still sent to PF_PACKET 
sockets for the reason outlined above.

Regards
Henrik

Re: Help in netfilter kernel module

[Daryl ong]

[-- Attachment #1: Type: text/plain, Size: 1871 bytes --]

Hi Henrik,
               Thanks for replying my mail.  I think you are right as i have test it with an application using PF_PACKETS.  So is it any way i can go around this problem.  Thank you in advance.
 
Regards, 
Daryl

Henrik Nordstrom <hno@marasystems.com> wrote:
On Thu, 16 Oct 2003, Daryl ong wrote:

> i am a new developer in this netfilter module. i am developing a
> kernel module on a rehat linux 8 and using iptables v1.2.6a. i came
> across a problem when i want to kfree_skb(skb).

> i have try to use NF_DROP to drop the packet if it doesnt match what i
> want to filter away. But as netfilter currently didnt filter for
> PF_PACKET, my packet is able to go up to application layer. So i
> intended to use kfree_skb but encounter the error. Please tell me if
> there is any solutions. Thank you.

If you want to drop a packet from netfilter you MUST NF_DROP it. Freeing
it with kfree_skb won't help, and if done carelessly will really crash
things as the kernel expects the skb reference to be there.

I do not think you can filter PF_PACKET sockets using netfilter. These get 
the packet very early in the processing chain while netfilter operates 
at the IPv4/IPv6 layers.

In netfilter you can

a) Drop the packet via NF_DROP. This also terminates the session if you
are using conntrack.

b) Replace/modify the packet, making further processing see another
packet. See for example ipt_TCPMSS.c for a simple example of how to
replace a packet (this is a iptables module, but the same rules in how to
replace/modify a packet applies to a netfilter module)

c) Steal the packet, stopping further processing of this packet without 
terminating the session. (NF_STOLEN verdict)

In all three cases I think the original packet is still sent to PF_PACKET 
sockets for the reason outlined above.

Regards
Henrik

 The New Yahoo! Search
- Now with image search!

[-- Attachment #2: Type: text/html, Size: 2570 bytes --]

Re: Help in netfilter kernel module

[Henrik Nordstrom]

On Thu, 16 Oct 2003, Daryl ong wrote:

> Thanks for replying my mail.  I think you are right as i have test it
> with an application using PF_PACKETS.  So is it any way i can go around
> this problem.  Thank you in advance.

Possibly, but most likely not by using netfilter.

Regards
Henrik