利用Netfilter的封装和解封装IPv4数据包 [英] Using Netfilter to encapsulate and decapsulate IPv4 Packets
问题描述
我在netfilter框架两个挂钩。
I have two hooks in the netfilter framework.
一个在 NF_IP_ pre_ROUTING 接收报文和其他在 NF_IP_LOCAL_OUT 传出的数据包。
One at NF_IP_PRE_ROUTING for incoming packets and other at NF_IP_LOCAL_OUT for outgoing packets.
发送数据包:
现在,所有的IPv4报文从特定IP地址发送出去,被封装在另一个IPv4-UDP数据包。
Now, all IPv4 Packets sent out from particular IP address, is encapsulated in another IPv4-UDP Packet.
我用 pskb_expand_head API来对封装的更多空间。而且,然后用 ip_route_output_key 来找到合适的 rtable 。使用 rtable ,我重新分配是skb-> DST 和是skb->开发。而且,然后我就继续和使用接受包 NF_ACCEPT 。
I use pskb_expand_head API to have more headroom for encapsulation. And, then with ip_route_output_key to find the appropriate rtable. Using rtable, I reassign skb->dst and skb->dev. And, then I just go ahead and accept the packet using NF_ACCEPT.
skb_dst_drop(skb);
skb_dst_set(skb, &rt->dst);
skb->dev = skb_dst(skb)->dev;
接收数据包:
现在,所有封装的数据包接收和基于端口号来标识。
而且,封装(IP + UDP + XYZ标题)拉出。而类似传出包
我使用 ip_route_output_key 来获得RT(rtable)。结果
使用rtable重新分配&是skb- GT; DST 和&是skb- GT;开发。然后我接受 NF_ACCEPT
Now, all Encapsulated Packets are received and are identified based on port number.
And, the encapsulation (IP+UDP+XYZ HEADER) is pulled out. And similar to outgoing packet
I use ip_route_output_key to get the rt(rtable).
Using rtable reassign skb->dst and skb->dev. And then i accept the packet with NF_ACCEPT
所以,它发生,我也收到了碎片整理传入的数据包,我在他们是如何认为要处理的混乱位。
So, it happens that i also receive the defrags incoming packets, i am in bit of confusion how are they supposed to be dealt with.
我要排队碎片整理数据包,后来接收整个包。
对此有何想法。我一直在经历可用的功能
I would want defrag packets to be queued and later receive the entire packet. Any ideas on that. I have been going through the functions available
ip_defrag(skb, IP_DEFRAG_LOCAL_DELIVER);
但这似乎喜欢被用于 NF_IP_LOCAL_IN 组装包的阶段,但我想在组装包 NF_IP_ pre_ROUING 阶段。
But this seems like to be used for assembling packets in NF_IP_LOCAL_IN stage, but the i want the assembled packet in NF_IP_PRE_ROUING stage.
任何帮助将AP preciated。
Any help on this will be appreciated.
推荐答案
设置 CONFIG_NF_DEFRAG_IPV4 ,这是在 /网/的IPv4 / netfilter的定义/的Kconfig ,其钩 ipv4_defrag_ops [] 将坐在 NF_INET_ pre_ROUTING 和 NF_INET_LOCAL_OUT 。而你的钩子应该是一个优先级高于 NF_IP_PRI_CONNTRACK_DEFRAG 较大,因此,您挂钩后执行ipv4_defrag_ops []的,其中愿意为你做组装,在 NF_IP_ pre_ROUING 阶段。在此之后, SKB 去你的挂钩,应该是一个组合包。
Set CONFIG_NF_DEFRAG_IPV4, which is defined in /net/ipv4/netfilter/Kconfig, its hooks ipv4_defrag_ops[] would sit at NF_INET_PRE_ROUTING and NF_INET_LOCAL_OUT. And your hooks should be of a priority larger than NF_IP_PRI_CONNTRACK_DEFRAG, therefore, your hooks are executed after ipv4_defrag_ops[], which would do assembly for you, at NF_IP_PRE_ROUING stage. After that, the skb goes to your hooks, should be a assembled packet.
这篇关于利用Netfilter的封装和解封装IPv4数据包的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
