1
我有以下通過原始套接字發送包的功能。通過原始套接字發送標記包
#include <unistd.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include "pkt-types.h"
#include "pkt-log.h"
#include "pkt-utils.h"
int
send_packet_raw (void *data, int size)
{
log_message (LOG_DEBUG, " inside send_packet_raw");
int sd;
struct iphdr *iph = (struct iphdr *) data;
struct udphdr *udph = (struct udphdr *) (data + sizeof (struct ip));
struct sockaddr_in sin;
// needed for notify kernel to not to build header for this
int one = 1;
const int *val = &one;
// creating a socket
if ((sd = socket (PF_INET, SOCK_RAW, IPPROTO_UDP)) < 0)
{
log_message (LOG_ERROR, " problem creating a socket");
return EXITCODE_SOCK_CREATION_FAILED;
}
// setting address family
sin.sin_family = AF_INET;
// setting port
sin.sin_port = udph->dest;
// setting ip
sin.sin_addr.s_addr = iph->daddr;
// notifying kernel do not fill up the packet structure.
if (setsockopt (sd, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)
{
log_message (LOG_ERROR, "error notifying kernel about raw socket");
return EXITCODE_SOCK_KERN_NOTIF_FAILED;
}
/* setting socket option to use MARK value */
if (setsockopt (sd, SOL_SOCKET, SO_MARK, val, sizeof (one)) < 0)
{
log_message (LOG_ERROR, "error notifying kernel about MARK");
return EXITCODE_SOCK_MARK_FAILED;
}
#ifdef CHECKSUM
/* compute checksum */
udph->check = udp_checksum (data + IP_OFFSET, size - IP_OFFSET, iph->saddr, iph->daddr);
/* testing purposed */
#else
udph->check = 0x00;
#endif
/* dscp 101000 means express forwarding */
if (sendto (sd, /* our socket */
data, /* data to send */
size, /* total length of our ip packet */
0, /* routing flag, normally always zero */
(struct sockaddr *) &sin, /* socket addr */
sizeof (sin)) < 0)
{
log_message (LOG_ERROR, "sending over raw socket failed");
return EXITCODE_SOCK_SEND_FAILED;
}
else
{
/* shutdown the socket */
if(shutdown (sd, 2)) /* shutdown ok */
return EXITCODE_OK;
}
}
現在我從libnetfilter_queue設置從nfq_set_verdict2()標誌:http://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__Queue.html
int nfq_set_verdict2 ( struct nfq_q_handle * qh,
u_int32_t id,
u_int32_t verdict,
u_int32_t mark,
u_int32_t data_len,
const unsigned char * buf
)
nfq_set_verdict2 - like nfq_set_verdict, but you can set the mark.
Parameters:
qh Netfilter queue handle obtained by call to nfq_create_queue().
id ID assigned to packet by netfilter.
verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)
mark mark to put on packet
data_len number of bytes of data pointed to by buf
buf the buffer that contains the packet data
當我從netfilter_queue接收數據包我做了什麼以下:
nfq_set_verdict(..,NF_DROP,MARK,...);
process_packet();
這process_packet( )調用send_packet_raw()。
相關iptable的規則:
$iptables -t mangle -A PREROUTING -m mark --mark 0xa -j ACCEPT
$iptables -t mangle -A PREROUTING -p udp --dport $PORT -j NFQUEUE
$iptables -t mangle -A OUTPUT -m mark --mark 0xa -j ACCEPT
$iptables -t mangle -A OUTPUT -p udp --sport $PORT -j NFQUEUE
我也提出了一些-j LOG規則,看看分組在-實際上匹配。但是由於看起來沒有數據包發送或進入,因爲沒有顯示日誌條目。無法理解如何在這裏找到問題。
我可能在這裏錯過了一些東西,但是你是否也嘗試過運行tcpdump(作爲調試的額外形式)以查看包是否碰到了nic?是否有可能使用scapy來製作(相同或相似的)數據包,以查看問題是出在代碼還是iptables規則上? –
謝謝你的建議。我將使用scapy進行測試併發布更多更新。 – Aftnix
如果您對scapy不熟悉,請參閱 - http://www.sans.org/reading_room/whitepapers/testing/taste-scapy_33249。 –