<div dir="ltr">Hi,<div><br></div><div>I'm writing a program to assist in learning/debugging tcp stacks, it creates a raw socket and replicates an exceedingly simple tcp stack. By which I mean, it sends and receives packets, setting correct flags, payloads etc.</div><div><br></div><div>One difficulty I've come across, after I've created a raw socket and sent my syn packet, when the syn+ack packet arrives from the peer, my program receives it fine - but the kernel also resets the connection.</div><div><br></div><div>Example tcpdump dump where 192.168.1.12 is the program and 192.168.1.1 is the remote peer I'm trying to establish a connection with:</div><div><div>08:33:36.660321 IP 192.168.1.12.47775 > 192.168.1.1.80: Flags [S], seq 1023, win 0, length 0</div><div>08:33:36.660665 IP 192.168.1.1.80 > 192.168.1.12.47775: Flags [S.], seq 640280152, ack 1024, win 14600, options [mss 1460], length 0</div><div>08:33:36.660682 IP 192.168.1.12.47775 > 192.168.1.1.80: Flags [R], seq 1024, win 0, length 0</div><div><br></div><div>In previous iterations of this, I've simply created a iptables rules entry to drop this packet, but I feel there might be a better way. Others have mentioned to also bind to the socket, but this doesn't appear to be working.</div><div><br></div><div>I've been trying to trace the path through the kernel to find out if there's any support for what I'm trying to do (effectively discard the packet).</div><div><br></div><div>The code itself is written in Go, but the following are the syscalls I'm using (output from systrace):</div><div><div>socket(PF_INET, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_TCP) = 5</div><div>setsockopt(5, SOL_SOCKET, SO_BROADCAST, [1], 4) = 0</div><div>bind(5, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("192.168.1.12")}, 16) = 0</div></div><div><br></div><div>I don't believe the bind call is actually required, and I've used hping utility which uses socket(PF_PACKET, SOCK_RAW, 768) and exhibits the same behaviour (syn+ack is reset).</div><div><br></div><div>Also, I'm not debating the behaviour of the Kernel, just whether I can do anything to change it.</div><div><br></div><div>Is there another option, or if this is too far off topic another place I could ask?</div><div><br></div><div>Thanks</div><div><br></div>-- <br><div class="gmail_signature">Bradley Falzon<br><a href="mailto:brad@teambrad.net" target="_blank">brad@teambrad.net</a></div>
</div></div>