Find the answer to your Linux question:
Results 1 to 2 of 2
Hello and Help! I am new to Netfilter and kernel programming in linux. I tried to implement a simple firewall using Netfilter after reading online tutorials on this. For some ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2009
    Posts
    2

    Arrow [SOLVED] empty socket buffer(??) while using Netfilter.


    Hello and Help!
    I am new to Netfilter and kernel programming in linux. I tried to implement a simple firewall using Netfilter after reading online tutorials on this. For some reason, I am getting an empty socket buffer( I think) when the hook function is called. I tried googling for solutions but no luck. I am pasting a simplified version of my firewall code. As a test bed, I used a simple client-server socket program. To check if the problem was in the test bed, I disabled the testbed, inserted the firewall module and verified the socket buffer for regular internet traffic (browser .) but no luk on this.
    Is my implementation wrong?I cant seem to figure out why on earth the buffer will be empty.
    Am i missing out something really obvious?

    Digging a lil deeper into packet traversal, i surmised that it is the NIC's job to create and populate sk_buff which is passed to kernel through netif_rx().
    I am running my code on ubuntu 8.10. So taking a really far fetched( and almost certainly wrong) guess, could it have something to do with ubuntu's driver for broadcom cards?
    My sincere apoplogies if I posted in the wrong forum. This is my first post.


    /// Simplified firewall code.
    #ifndef __FW_C
    #define __FW_C

    // includes
    #include <linux/kernel.h>
    #include <linux/module.h>
    #include <usr/src/linux-headers-2.6.27-7-generic/include/linux/netfilter.h> //contains hook defs
    #include </usr/src/linux-headers-2.6.27-7-generic/include/linux/netfilter_ipv4.h> //contains definitions of priorities
    #include <linux/skbuff.h>
    #include <linux/tcp.h>// contains definition of struct tcphdr

    //declarations
    static struct nf_hook_ops in_pre_routing;
    static struct nf_hook_ops in_local_in;

    unsigned int hook_func(unsigned int hooknum,
    struct sk_buff **skb,
    const struct net_device *in,
    const struct net_device *out,
    int (*okfn)(struct sk_buff*))
    {
    if(!*skb)
    {
    // This place is reached in the code. I checked /var/log/messages
    printk(KERN_INFO"\nPacket Dropped\n");
    return NF_DROP;
    }
    else
    return NF_ACCEPT;
    // return(check_tcp_packet(*skb));
    }

    int init_module(void)
    {
    in_local_in.hook = hook_func; //user defined hook function
    in_local_in.pf = PF_INET; //Protocol family
    in_local_in.hooknum = NF_INET_LOCAL_IN; //
    in_local_in.priority = NF_IP_PRI_FIRST;
    nf_register_hook(&in_local_in);

    return 0;
    }
    void cleanup_module(void)
    {
    // nf_unregister_hook(&in_pre_routing);
    nf_unregister_hook(&in_local_in);
    }


    #endif

  2. #2
    Just Joined!
    Join Date
    Mar 2009
    Posts
    2

    Found my mistake

    I used the wrong method signature corresponding to my kernelheader files. the correct signature of the hook function should be

    unsigned int hook_func(unsigned int hooknum,
    struct sk_buff *skb,
    const struct net_device *in,
    const struct net_device *out,
    int (*okfn)(struct sk_buff*))
    {
    // func body of correct version
    }

    instead of
    unsigned int hook_func(unsigned int hooknum,
    struct sk_buff **skb,
    const struct net_device *in,
    const struct net_device *out,
    int (*okfn)(struct sk_buff*))
    {
    //func body of old version
    }

    Silly me. Thanks and apologies to all those who wasted time looking at this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •