4

I'm currently trying to use codes with libnetfilter_queue in userspace to modify packets that were queued in the NFQUEUE target in iptables. However I have little idea as to how to go about doing it.

I have set it to copy the packet with NFQNL_COPY_PACKET, if I were to modify the copied packet would it be automatically send back to the kernal by the function nfq_set_verdict()?

Additionally, I have previously worked with extracting packets from a pcap file, however I noticed that the data that I get from nfq_get_payload() seems to be very different. Does anyone know how to dissect the data?

user849336
  • 51
  • 1
  • 4

1 Answers1

1

If in nfq_set_verdict you set the verdict to NF_REPEAT, the packet (modified or not) will again enter the iptables mangle OUTPUT chain, nat OUTPUT chane, filter OUTPUT chain etc. (in other words it will act as if some app sent it)

To extract data, use this boilerplate in your NFQUEUE handler callback:

int queueHandle_input ( struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfad, void *mdata ){

struct iphdr *ip;
int id;
struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr ( ( struct nfq_data * ) nfad );
if ( ph ) id = ntohl ( ph->packet_id );
nfq_get_payload ( ( struct nfq_data * ) nfad, (char**)&ip );

Now ip contains IP header data in network byte order.

thkala
  • 84,049
  • 23
  • 157
  • 201
abirvalg
  • 128
  • 1
  • 7