Packet manipulation in user space

Packet manipulation in user space

[Hamid Nassiby]

Hello,

I'm working on a project which wants to port a Windows-based network
protocol to Linux. The protocol works as a VPN/Firewall, on packets
copied from Data-Link Layer to user space. In MS Windows
WinpkFilter(C) does copying from kernel space (Data-Link layer)  to
user space and then it drops the original packet. In user space, our
protocol does some operation on packet ( e.g. checks  the packet
authority and/or encrypts/decrypts it, ...) and then injects the
packet upward to application layer or downward or simply drops it.

So our requirements are:

Capture each packet which is coming inside or going outside the
computer in Data-link Layer.
Create a copy of the packet and drop the original one.
Copy of packet must be available in user space to be manipulated by
our protocol.
After manipulation in user space, inject encrypted/decrypted version
of the privileged (copy of) packets to the network or upward to the
application layer.

And of course we want to have the minimum changes to be made on our
current protocol.

I tried raw sockets and netfilter netlink, but I didn't find a
suitable solution  which let me to drop packets or inject them upward
to the application layer. I need to know if it is possible to do this
with libraries/interfaces currently available in user space or should
I write a kernel module that does the above tasks for us?

Any guidance is pleased,
Thanks in advance,

Hamid.

Re: Packet manipulation in user space

[Julien Vehent]

On Thu, 8 Apr 2010 23:24:09 +0430, Hamid Nassiby <h.nassiby@gmail.com>
wrote:
> Capture each packet which is coming inside or going outside the
> computer in Data-link Layer.
> Create a copy of the packet and drop the original one.
> Copy of packet must be available in user space to be manipulated by
> our protocol.
> After manipulation in user space, inject encrypted/decrypted version
> of the privileged (copy of) packets to the network or upward to the
> application layer.
> 

libnetfilter_queue ?

http://www.netfilter.org/projects/libnetfilter_queue/index.html

Re: Packet manipulation in user space

[Hamid Nassiby]

On Fri, Apr 9, 2010 at 1:22 AM, Julien Vehent <julien@linuxwall.info> wrote:
> On Thu, 8 Apr 2010 23:24:09 +0430, Hamid Nassiby <h.nassiby@gmail.com>
> wrote:
>> Capture each packet which is coming inside or going outside the
>> computer in Data-link Layer.
>> Create a copy of the packet and drop the original one.
>> Copy of packet must be available in user space to be manipulated by
>> our protocol.
>> After manipulation in user space, inject encrypted/decrypted version
>> of the privileged (copy of) packets to the network or upward to the
>> application layer.
>>
>
> libnetfilter_queue ?
>
> http://www.netfilter.org/projects/libnetfilter_queue/index.html
>

Hi,

I could do the first three of above requirements, using
libnetfilter_queue. But I could not find a way to do the last of them
:

>> After manipulation  in user space, inject encrypted/decrypted version
>> of the privileged (copy of) packets to the network or upward to the
>> application layer.

Is there any solution for the above issue?


Thanks in advance,

Hamid.

Re: Packet manipulation in user space

[Jan Engelhardt]

On Friday 2010-04-09 08:00, Hamid Nassiby wrote:
>On Fri, Apr 9, 2010 at 1:22 AM, Julien Vehent <julien@linuxwall.info> wrote:
>
>I could do the first three of above requirements, using
>libnetfilter_queue. But I could not find a way to do the last of them
>:
>
>>> After manipulation  in user space, inject encrypted/decrypted version
>>> of the privileged (copy of) packets to the network or upward to the
>>> application layer.
>
>Is there any solution for the above issue?

Reinjected packets should travel the normal network path (code-wise),
so you can use xfrm, if I am not mistaken.