Query TCP states/connection tracking table in Linux Kernel Module

Yadunandan Pillai thesw4rm at pm.me
Thu Sep 19 02:12:46 EDT 2019


Hi,

I'm developing a proxy system for TCP handshakes. Essentially, it's a similar system to a TRAP server where SYN packets will be handled by a proxy server and once the handshake completes, the connection gets handed off to the actual server. In my implementation, I have a few extra functionalities I'm adding in which require me to notify a third party once a valid handshake ACK is received. However, I'm unable to find a way to verify an incoming ACK packet.

My initial implementation was using NFQueue and IPtables in user space, where I'll simply intercept ACK packets with the ESTABLISHED state (iptables --tcp-flags SYN,ACK,... ACK -m state --state ESTABLISHED) and queue them to one of the netfilter queues where I then ensure that they don't have a payload (therefore, confirming it is a handshake packet with ACK flag. Currently ignoring things like TCP Fast Open where the payload is included in the handshake ACK packet).

If IPtables can access the connection tracking tables, then that means it is possible from a netfilter kernel module. I'm just not sure how? I've got a general concept of how networking works in the Linux kernel but a bit clueless on the actual implementation. Any help?

-- Swarm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20190919/e22dbf46/attachment.html>


More information about the Kernelnewbies mailing list