Best way to intercept inbound and outbound TCP packets

Hi All,

I need the best way to intercept inbound and outbound TCP packets
through a kernel module.
"Best" is related to performance and portability. Once done on linux,
i would like to do same kind of work on Solaris and AIX. Currently i
was looking into NetFilter framework which is part of Linux kernel now.
This looks
great on Linux but AFAIK Netfilter is not present on Solaris and AIX.

Now i have found this IPFilter which is implemented for almost all
platforms.Though i have yet to discover what kind of interface IPFilter
kernel module provides , i would like you to help me to to decide this
..
Q1: Does IPFilter framework allow inserting my hooks through kernel
module same as NetFilter does.

Q2: What should i chose IPFilter / NetFilter based kernel module. ( & I
think underneath IPFilter uses NetFilter for its Linux implementation)
correct me if i am wrong. is it the case If i use IPFilter , what will
be its advantages over NetFilter.

Thanks,
Rohit

will_u_tellmemore wrote:
> Hi All,
>
> I need the best way to intercept inbound and outbound TCP packets
> through a kernel module.
> "Best" is related to performance and portability. Once done on linux,
> i would like to do same kind of work on Solaris and AIX. Currently i
> was looking into NetFilter framework which is part of Linux kernel now.
> This looks
> great on Linux but AFAIK Netfilter is not present on Solaris and AIX.
>
> Now i have found this IPFilter which is implemented for almost all
> platforms.Though i have yet to discover what kind of interface IPFilter
> kernel module provides , i would like you to help me to to decide this
> .
> Q1: Does IPFilter framework allow inserting my hooks through kernel
> module same as NetFilter does.
>
> Q2: What should i chose IPFilter / NetFilter based kernel module. ( & I
> think underneath IPFilter uses NetFilter for its Linux implementation)
> correct me if i am wrong. is it the case If i use IPFilter , what will
> be its advantages over NetFilter.
>

If it's enough to get the packets (but not chenge them before
forwarding), have a look at libpcap.

If it's something else, please explain what you're attempting
to achieve.

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno Voipio wrote >>
> If it's enough to get the packets (but not chenge them before
> forwarding), have a look at libpcap.

I also need to send fake packets to Kernel TCP layer through my hooks

> If it's something else, please explain what you're attempting
> to achieve.

I am trying to implement Fault tolerant TCP support through a loadable
kernel module. For which i need to log every incoming TCP packet and
sometimes generate fake ones.

Also after looking into IPFilter source code , i think it doesn't
export any such interface for hooks but it itself uses such things. On
linux it uses Netfilter and On Solaris it uses pfil module.
So i feel i really don't have 2 options like Netfilter & IpFilter but
only one i.e. NetFilter. These 2 things seem to be different.


Thanks ,
Rohit

You must write one netfilter module and one iptables module and compile
it and then activate netfilter module from iptables.

will_u_tellmemore wrote:
> Tauno Voipio wrote >>
> > If it's enough to get the packets (but not chenge them before
> > forwarding), have a look at libpcap.
>
> I also need to send fake packets to Kernel TCP layer through my hooks
>
> > If it's something else, please explain what you're attempting
> > to achieve.
>
> I am trying to implement Fault tolerant TCP support through a loadable
> kernel module. For which i need to log every incoming TCP packet and
> sometimes generate fake ones.
>
> Also after looking into IPFilter source code , i think it doesn't
> export any such interface for hooks but it itself uses such things. On
> linux it uses Netfilter and On Solaris it uses pfil module.
> So i feel i really don't have 2 options like Netfilter & IpFilter but
> only one i.e. NetFilter. These 2 things seem to be different.
>
>
> Thanks ,
> Rohit

will_u_tellmemore wrote:
> Tauno Voipio wrote >>
>
>>If it's enough to get the packets (but not chenge them before
>>forwarding), have a look at libpcap.
>
>
> I also need to send fake packets to Kernel TCP layer through my hooks
>
>
>>If it's something else, please explain what you're attempting
>>to achieve.
>
>
> I am trying to implement Fault tolerant TCP support through a loadable
> kernel module. For which i need to log every incoming TCP packet and
> sometimes generate fake ones.
>
> Also after looking into IPFilter source code , i think it doesn't
> export any such interface for hooks but it itself uses such things. On
> linux it uses Netfilter and On Solaris it uses pfil module.
> So i feel i really don't have 2 options like Netfilter & IpFilter but
> only one i.e. NetFilter. These 2 things seem to be different.

You're on a wrong layer of the networking stack if you're hooking
at the IP layer (network). You should hook at the transport layer
(TCP), but, AFAIK, there are no ready hooks present.

It seems to me that you're doing a South Wrapper for FT-TCP. You need
to hook the socket side of TCP as well, for the North Wrapper. It's
not going with a simple kernel module without touching the TCP itself.

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno Voipio wrote:
>
> You're on a wrong layer of the networking stack if you're hooking
> at the IP layer (network). You should hook at the transport layer
> (TCP), but, AFAIK, there are no ready hooks present.

Netfilter can work on transport layer too. If you write netfilter
module then you can access/modify IP packets that contain TCP header.

>
> It seems to me that you're doing a South Wrapper for FT-TCP. You need
> to hook the socket side of TCP as well, for the North Wrapper. It's
> not going with a simple kernel module without touching the TCP itself.
>
> --
>
> Tauno Voipio
> tauno voipio (at) iki fi