Linux内核模块:如何重新弹出内核认为是NF_STOLEN的数据包?
Linux内核模块:如何重新弹出内核认为是NF_STOLEN的数据包?
提问于 2014-09-21 11:27:49
晚上好。张贴到这个网站对我来说是新的,但我是一个感谢的读者,谁已经从这个论坛学到了很多,很长一段时间了。这是我第一次遇到一个问题,我无法解决自己,也没有帮助的条目,已经存在的堆栈溢出或任何其他资源的互联网提供。
我希望你能再帮我一次(从现在起,我也能帮助别人,因为我觉得自己已经成长到可以开始成为这里的写作会员的地步了)。
这一问题:
我正在开发一个内核模块。它的目的是使用PRE_ROUTING netfilter钩子从内核窃取具有特定源IP的传入数据包。只有TCP数据包才会介入它。
现在,钩子通过dev_queue_xmit()将数据包重新注入到正常的内核数据包处理例程,并将数据包的NF_STOLEN返回给内核。来自其他源地址的数据包不会重新注入,而是通过为它们返回NF_ACCEPT而不是NF_STOLEN来忽略。
内核模块还存储每个被盗数据包的these号,以确定来自上述IP的传入数据包是新的,还是已经通过dev_queue_xmit()修改和重新注入,因为这些数据包再次遍历钩子。
目前正在发挥作用的是:
- 模块加载
- 钩子注册
- 每个包都需要钩子。
- 钩子可以确定包SRC IP是否是我正在寻找的IP。
- 钩子返回具有其他源地址的数据包的NF_ACCEPT
- 具有源地址的数据包将被重新注入,而NF_STOLEN则为它们返回。
- 重新注入的数据包再次遍历钩子,并被忽略。
问题所在
当我在加载模块后用浏览器访问IP时,我的IP堆栈似乎崩溃了。我不能再点击任何地址了。该模块记录它遇到了来自相关IP的数据包,并请求了它们,并在之后找到了一个已知的数据包(因此一切看起来都很好),但是仍然:没有到站点/任何其他地址的适当连接。
下面是钩子代码:
static unsigned int hook(unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
struct iphdr *iph;
struct tcphdr *tcph;
unsigned int i;
if(!skb)
return NF_ACCEPT;
iph = (struct iphdr *)skb_network_header(skb);
if(!iph || !(iph->saddr) || iph->saddr != *(unsigned int*)suspicious_ip)
return NF_ACCEPT;
tcph = (struct tcphdr *)skb_transport_header(skb);
for(i=0; i < number_of_known_packets; i++)
{
if(tcph->seq == *(already_known_packets+i))
{
debug("Already known packet");
return NF_ACCEPT;
}
}
debug("New packet");
printk("seq: %u\n", tcph->seq);
if((number_of_known_packets + 1) * 4 >= memory_allocated_for_known_packets)
imba_realloc(500*4);
*(already_known_packets+number_of_known_packets++) = tcph->seq;
debug("Requeuing packet");
// once the requeuing is working proper, I want to manipulate the payload as well
printk("Result: %i", dev_queue_xmit(skb));
return NF_STOLEN;
}如何注册钩子:
static struct nf_hook_ops nfho;
int init_module(void)
{
debug("module loaded");
already_known_packets = kmalloc(memory_allocated_for_known_packets, GFP_KERNEL);
debug("initial memory allocated");
nfho.hook = hook;
nfho.hooknum = NF_INET_PRE_ROUTING;
nfho.pf = PF_INET;
nfho.priority = 1;
nf_register_hook(&nfho);
debug("hook registered");
return 0;
}syslog:
Sep 21 13:11:43 linux kernel: [ 3298.937902] [PACKET PROXY] module loaded
Sep 21 13:11:43 linux kernel: [ 3298.937907] [PACKET PROXY] initial memory allocated
Sep 21 13:11:43 linux kernel: [ 3298.937931] [PACKET PROXY] hook registered
Sep 21 13:11:49 linux kernel: [ 3305.415404] [PACKET PROXY] New packet
Sep 21 13:11:49 linux kernel: [ 3305.415410] seq: 1538346824
Sep 21 13:11:49 linux kernel: [ 3305.415412] [PACKET PROXY] Requeuing packet
Sep 21 13:11:49 linux kernel: [ 3305.415430] Result: 0
Sep 21 13:11:49 linux kernel: [ 3305.415440] [PACKET PROXY] New packet
Sep 21 13:11:49 linux kernel: [ 3305.415441] seq: 618234741
Sep 21 13:11:49 linux kernel: [ 3305.415442] [PACKET PROXY] Requeuing packet
Sep 21 13:11:49 linux kernel: [ 3305.415447] Result: 0
Sep 21 13:11:49 linux kernel: [ 3305.421440] [PACKET PROXY] New packet
Sep 21 13:11:49 linux kernel: [ 3305.421452] seq: 2129598066
Sep 21 13:11:49 linux kernel: [ 3305.421458] [PACKET PROXY] Requeuing packet
Sep 21 13:11:49 linux kernel: [ 3305.421477] Result: 0
Sep 21 13:11:49 linux kernel: [ 3305.427449] [PACKET PROXY] New packet
Sep 21 13:11:49 linux kernel: [ 3305.427456] seq: 2327127721
Sep 21 13:11:49 linux kernel: [ 3305.427458] [PACKET PROXY] Requeuing packet
Sep 21 13:11:49 linux kernel: [ 3305.427466] Result: 0
Sep 21 13:11:49 linux kernel: [ 3305.427470] [PACKET PROXY] New packet
Sep 21 13:11:49 linux kernel: [ 3305.427471] seq: 1333567182
Sep 21 13:11:49 linux kernel: [ 3305.427473] [PACKET PROXY] Requeuing packet
Sep 21 13:11:49 linux kernel: [ 3305.427476] Result: 0
Sep 21 13:11:49 linux kernel: [ 3305.427494] [PACKET PROXY] New packet
Sep 21 13:11:49 linux kernel: [ 3305.427502] seq: 2650236943
Sep 21 13:11:49 linux kernel: [ 3305.427506] [PACKET PROXY] Requeuing packet
Sep 21 13:11:49 linux kernel: [ 3305.427514] Result: 0
Sep 21 13:11:49 linux kernel: [ 3305.427522] [PACKET PROXY] New packet
Sep 21 13:11:49 linux kernel: [ 3305.427533] seq: 444387468
Sep 21 13:11:49 linux kernel: [ 3305.427534] [PACKET PROXY] Requeuing packet
Sep 21 13:11:49 linux kernel: [ 3305.427539] Result: 0
Sep 21 13:11:49 linux kernel: [ 3305.427544] [PACKET PROXY] New packet
Sep 21 13:11:49 linux kernel: [ 3305.427545] seq: 1405773113
Sep 21 13:11:49 linux kernel: [ 3305.427547] [PACKET PROXY] Requeuing packet
Sep 21 13:11:49 linux kernel: [ 3305.427550] Result: 0
Sep 21 13:11:50 linux kernel: [ 3306.413448] [PACKET PROXY] Already known PACKET
Sep 21 13:11:50 linux kernel: [ 3306.413641] [PACKET PROXY] Already known PACKET
Sep 21 13:11:50 linux kernel: [ 3306.414153] [PACKET PROXY] Already known PACKET
Sep 21 13:11:50 linux kernel: [ 3306.414989] [PACKET PROXY] Already known PACKET
Sep 21 13:11:50 linux kernel: [ 3306.415102] [PACKET PROXY] Already known PACKET
Sep 21 13:11:50 linux kernel: [ 3306.417880] [PACKET PROXY] Already known PACKET
Sep 21 13:11:50 linux kernel: [ 3306.418065] [PACKET PROXY] Already known PACKET
Sep 21 13:11:50 linux kernel: [ 3306.418134] [PACKET PROXY] Already known PACKET
Sep 21 13:11:50 linux kernel: [ 3306.433788] [PACKET PROXY] New packet
Sep 21 13:11:50 linux kernel: [ 3306.433812] seq: 2146375282
Sep 21 13:11:50 linux kernel: [ 3306.433816] [PACKET PROXY] Requeuing packet
Sep 21 13:11:50 linux kernel: [ 3306.433850] Result: 0
Sep 21 13:11:51 linux kernel: [ 3306.441424] [PACKET PROXY] Already known PACKET
Sep 21 13:11:51 linux kernel: [ 3306.441587] [PACKET PROXY] New packet
Sep 21 13:11:51 linux kernel: [ 3306.441596] seq: 3958642290
Sep 21 13:11:51 linux kernel: [ 3306.441610] [PACKET PROXY] Requeuing packet
Sep 21 13:11:51 linux kernel: [ 3306.441634] Result: 0
Sep 21 13:11:51 linux kernel: [ 3306.441646] [PACKET PROXY] New packet
Sep 21 13:11:51 linux kernel: [ 3306.441648] seq: 1476007538
Sep 21 13:11:51 linux kernel: [ 3306.441652] [PACKET PROXY] Requeuing packet
Sep 21 13:11:51 linux kernel: [ 3306.441660] Result: 0
Sep 21 13:11:51 linux kernel: [ 3306.443131] [PACKET PROXY] New packet
Sep 21 13:11:51 linux kernel: [ 3306.443139] seq: 3288274546
Sep 21 13:11:51 linux kernel: [ 3306.443148] [PACKET PROXY] Requeuing packet
Sep 21 13:11:51 linux kernel: [ 3306.443194] Result: 0
Sep 21 13:11:51 linux kernel: [ 3306.443226] [PACKET PROXY] New packet
Sep 21 13:11:51 linux kernel: [ 3306.443231] seq: 788862834
Sep 21 13:11:51 linux kernel: [ 3306.443241] [PACKET PROXY] Requeuing packet
Sep 21 13:11:51 linux kernel: [ 3306.443258] Result: 0
Sep 21 13:11:51 linux kernel: [ 3306.443276] [PACKET PROXY] New packet
Sep 21 13:11:51 linux kernel: [ 3306.443278] seq: 2601129842
Sep 21 13:11:51 linux kernel: [ 3306.443281] [PACKET PROXY] Requeuing packet
Sep 21 13:11:51 linux kernel: [ 3306.443286] Result: 0
Sep 21 13:11:51 linux kernel: [ 3306.443294] [PACKET PROXY] New packet
Sep 21 13:11:51 linux kernel: [ 3306.443295] seq: 2131695474
Sep 21 13:11:51 linux kernel: [ 3306.443299] [PACKET PROXY] Requeuing packet
Sep 21 13:11:51 linux kernel: [ 3306.443305] Result: 0
Sep 21 13:11:51 linux kernel: [ 3306.443313] [PACKET PROXY] New packet
Sep 21 13:11:51 linux kernel: [ 3306.443314] seq: 3943962482
Sep 21 13:11:51 linux kernel: [ 3306.443317] [PACKET PROXY] Requeuing packet
Sep 21 13:11:51 linux kernel: [ 3306.443320] Result: 0
Sep 21 13:11:57 linux kernel: [ 3312.685399] [PACKET PROXY] New packet
Sep 21 13:11:57 linux kernel: [ 3312.685425] seq: 2667014159
Sep 21 13:11:57 linux kernel: [ 3312.685430] [PACKET PROXY] Requeuing packet
Sep 21 13:11:57 linux kernel: [ 3312.685463] Result: 0回答 1
Stack Overflow用户
回答已采纳
发布于 2014-09-24 09:56:22
我找到了一个更简单的解决方案来实现我想要达到的目标。不需要自定义内核模块的解决方案。
另外,经过进一步的研究,NF_STOLEN包不能简单地被“再注入”。但是,要修改数据包,甚至不需要返回NF_STOLEN。
可以只更改有效负载,调整校验和,然后返回NF_ACCEPT,因为您在钩子中访问的sk_buffer将在进一步处理数据包时被内核重用。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/25958715
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号