问题描述
我使用在C捕获数据包。我设置的iptable的规则来排队,后来被用户空间实现这样的处理传入的数据包:的iptables -A INPUT -j NFQUEUE --queue-NUM 0
。我用例如作为一个框架,以实现捕获。一切都按预期工作。不过,我注意到,这是不可能去检查IP片段的水平的队列。也就是说,如果一个数据包中的片段来它被放入队列之前先重新组装。但我想用碎片的工作。那么,有没有办法强制执行这种行为?我想有一个队列在那里我可以看到原始的传入数据包(包括分散,不分段),所以我就能够相应地采取行动。
I am using libnetfilter_queue in C to capture packets. I am setting an iptable rule to queue the incoming packets that would later be processed by the userspace implementation like this: iptables -A INPUT -j NFQUEUE --queue-num 0
. I used nfqnl_test example as a framework to implement the capture. Everything works as expected. However, I noticed that it is impossible to inspect the queue on the level of ip fragments. That is, if a packet is coming in fragments it is first reassembled before being put into the queue. But I would like to work with fragments. So is there a way to enforce that kind of behavior? What I want to have is a queue where I could observe raw incoming packets (both fragmented and unfragmented) so I would be able to act on them accordingly.
我读到的重组确实之前发生。在另一方面,使用iptables有 -f
可用的标志,以便应该有一个碎片化粒度这是我期待的。我也试着调整iptable的规则(如的iptables -t原料-D preROUTING -i eth0的-j NFQUEUE --queue-NUM 0
),但结果仍是一样。我只能观察已经重组后的包,我肯定知道,到达片段。
I read that the reassembly indeed happens before. On the other hand, with iptables there is -f
flag available so there should be a "fragmentation granularity" which I am looking for. I also tried adjusting iptable rules (e.g. iptables -t raw -D PREROUTING -i eth0 -j NFQUEUE --queue-num 0
), but the result is still the same. I can only observe already reassembled packet which I definitely know that arrives in fragments.
任何帮助真的是AP preciated。
Any help is really appreciated.
推荐答案
所以,我已经找到了解决问题的方法,我在这里分享它的情况下,一些人有兴趣。信贷从谁提出的可能的解决方法的netfilter邮件列表去阿德尔。基本上,该解决方案是使用nftables并设置一个链与优先级比所述一个为碎片整理低。我已经测试此设置与C code和它似乎工作pretty很好(我没有发现任何副作用)。但是,我不得不提,我用它只是观察IP碎片,我没有随意更改。
So I have found a solution to the problem and I am sharing it here in case some people are interested. The credit goes to Adel from netfilter mailing list who suggested the possible workaround. Basically, the solution is to use nftables and set up a chain with the priority lower than the one for the defragmentation. I have tested this setting with C code and it seems to work pretty well (I did not notice any side effects). However, I have to mention that I used it only for observing IP fragments and I did not tamper with them.
下面有两个功能进行设定nftables,然后删除它们。
Below there are two functions to set up nftables and then remove them.
void set_nftable() {
int status = 0;
// Create a nftable
status = system("nft add table ip filter");
// Add a chain to the nftable called "predefrag" which has lower priority than the defragmentation -450 < -400
status = system("nft add chain ip filter predefrag { type filter hook prerouting priority -- -450 \\; }");
// Set the nftable rule (queue packets to be accessed by a user-space application)
status = system("nft add filter predefrag meta iif eth0 counter queue num 0 bypass");
}
void remove_nftable() {
int status = 0;
// Flush the rules that are stored in the chains that belong to the nftable
status = system("nft flush table ip filter");
// Delete the chain from the nftable
status = system("nft delete chain ip filter predefrag");
// Delete the nftable
status = system("nft delete table ip filter");
}
使用这些功能的 code能用来捕捉IP碎片。下面有设立nftables和低估他们的工作有用的链接(在功能评论是pretty不言自明的,一旦获得与nftables手动熟悉)。
With those functions the nfqnl_test code can be used to capture IP fragments. Below there are useful links for setting up nftables and understating how they work (the comments in the functions are pretty self-explanatory once get acquainted with the nftables manual).
http://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources
这篇关于是否有可能与libnetfilter_queue访问IP碎片的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!