TCP checksum not transmited to the wire!

Khaled Dassouki thisiskd at hotmail.com
Mon Jan 28 10:08:08 EST 2013


Hello,

I am trying to use netfilter to program my own firewall. To
make a forwarding test to the local machine, I made a test program that change
a certain destination IP address in the PRE ROUTING HOOK to my local machine, I
changed back the source IP address in the POST ROUTING hook to the old
destination address. I computed TCP and IP checksums in this hook but I still
have a bad TCP checksum on the receiver. I can see in the POST ROUTING hook
that my checksum was changed! Below is my code

 

#include <linux/module.h>

#include <linux/kernel.h>

#include <linux/proc_fs.h>

#include <linux/list.h>

#include <asm/uaccess.h>

#include <linux/udp.h>

#include <linux/tcp.h>

#include <linux/skbuff.h>

#include <linux/ip.h>

#include <linux/netfilter.h>

#include <linux/netfilter_ipv4.h>

#include <net/ip.h>

 

static struct nf_hook_ops nfho;

static struct nf_hook_ops nfho_out;

 

  

unsigned int hook_func_in(unsigned int hooknum, struct
sk_buff *skb, 

          const struct
net_device *in, const struct net_device *out,

          int (*okfn)(struct
sk_buff *)) {

    

    u32 local =
1090627776; //my machine IP 192.168.1.65

    struct iphdr
*ip_header = (struct iphdr *)skb_network_header(skb);

    struct tcphdr
*tcp_header = (struct tcphdr *)skb_transport_header(skb);

    unsigned int src_port
= (unsigned int)ntohs(tcp_header->source);

   
ip_header->daddr = local;

    //printk(KERN_INFO
"PRE: saddr: %pI4 %u, daddr: %pI4, %u", &ip_header->saddr,
ip_header->saddr, &ip_header->daddr, ip_header->daddr);

    //printk("IN
saddr: %pI4 daddr: %pI4 len: %u check: %x\n", &ip_header->saddr,
&ip_header->daddr, src_port, tcp_header->check);       

    return
NF_ACCEPT;                

  

}

 

 

 

   

unsigned int hook_func_out(unsigned int hooknum, struct
sk_buff *skb, const struct net_device *in, const struct net_device *out,

          int
(*okfn)(struct sk_buff *)) 

{

    

    struct iphdr
*ip_header = (struct iphdr *)skb_network_header(skb);

    

    u32 dest =
388809389; //the old destination ip

    ip_header->saddr
= dest;

    

    struct tcphdr
*tcp_header = (struct tcphdr *)skb_transport_header(skb);

   
tcp_header->check = 0;

   

    int len =
skb->len-20;

    unsigned int
src_port = (unsigned int)ntohs(tcp_header->source);

   
tcp_header->check = csum_tcpudp_magic(ip_header->saddr,
ip_header->daddr, len, IPPROTO_TCP, csum_partial((char *)tcp_header, len,
0));

   
ip_header->check = 0;

    ip_send_check
(ip_header);

    //to check changes

    printk(
"saddr: %pI4 daddr: %pI4 check: %x\n", &ip_header->saddr,
&ip_header->daddr, 
tcp_header->check);

    int i;

    for (i=0;
i<skb->len; i++)

       
printk("%x", skb->data[i]);

   
printk("\n");

 

    return
NF_ACCEPT;            

  }

   

   

  

  /* Initialization
routine */

  int init_module() {

 

    printk(KERN_INFO
"initialize kernel module\n");

      

      /* Fill in the
hook structure for incoming packet hook*/

      nfho.hook =
hook_func_in;

      nfho.hooknum =
NF_INET_PRE_ROUTING;

      nfho.pf =
PF_INET;

      nfho.priority =
NF_IP_PRI_FIRST;

     
nf_register_hook(&nfho);        
// Register the hook

      /* Fill in the
hook structure for outgoing packet hook*/

      nfho_out.hook =
hook_func_out;

      nfho_out.hooknum
= NF_INET_POST_ROUTING;

      nfho_out.pf =
PF_INET;

      nfho_out.priority
= NF_IP_PRI_FIRST;

     
nf_register_hook(&nfho_out);   
// Register the hook

 

 

    

      return 0;

  }

   

  /* Cleanup routine
*/

  void
cleanup_module() {

      

     
nf_unregister_hook(&nfho);

     
nf_unregister_hook(&nfho_out);

 

      

      printk(KERN_INFO
"kernel module unloaded.\n");

  }

 

 

Would you please help me, I spent 10 days working on this
issue and not solved yet.

Best, 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20130128/4f65cc38/attachment-0001.html 


More information about the Kernelnewbies mailing list