利用Netfilter的封装和解封装IPv4数据包 [英] Using Netfilter to encapsulate and decapsulate IPv4 Packets
问题描述
我在netfilter框架两个挂钩。
I have two hooks in the netfilter framework.
一个在 NF_IP_ pre_ROUTING
接收报文和其他在 NF_IP_LOCAL_OUT
传出的数据包。
One at NF_IP_PRE_ROUTING
for incoming packets and other at NF_IP_LOCAL_OUT
for outgoing packets.
发送数据包:
现在,所有的IPv4报文从特定IP地址发送出去,被封装在另一个IPv4-UDP数据包。
Now, all IPv4 Packets sent out from particular IP address, is encapsulated in another IPv4-UDP Packet.
我用 pskb_expand_head
API来对封装的更多空间。而且,然后用 ip_route_output_key
来找到合适的 rtable
。使用 rtable
,我重新分配是skb-> DST
和是skb->开发
。而且,然后我就继续和使用接受包 NF_ACCEPT
。
I use pskb_expand_head
API to have more headroom for encapsulation. And, then with ip_route_output_key
to find the appropriate rtable
. Using rtable
, I reassign skb->dst
and skb->dev
. And, then I just go ahead and accept the packet using NF_ACCEPT
.
skb_dst_drop(skb);
skb_dst_set(skb, &rt->dst);
skb->dev = skb_dst(skb)->dev;
接收数据包:
现在,所有封装的数据包接收和基于端口号来标识。
而且,封装(IP + UDP + XYZ标题)
拉出。而类似传出包
我使用 ip_route_output_key
来获得RT(rtable)。结果
使用rtable重新分配&是skb- GT; DST
和&是skb- GT;开发
。然后我接受 NF_ACCEPT
Now, all Encapsulated Packets are received and are identified based on port number.
And, the encapsulation (IP+UDP+XYZ HEADER)
is pulled out. And similar to outgoing packet
I use ip_route_output_key
to get the rt(rtable).
Using rtable reassign skb->dst
and skb->dev
. And then i accept the packet with NF_ACCEPT
所以,它发生,我也收到了碎片整理传入的数据包,我在他们是如何认为要处理的混乱位。
So, it happens that i also receive the defrags incoming packets, i am in bit of confusion how are they supposed to be dealt with.
我要排队碎片整理数据包,后来接收整个包。
对此有何想法。我一直在经历可用的功能
I would want defrag packets to be queued and later receive the entire packet. Any ideas on that. I have been going through the functions available
ip_defrag(skb, IP_DEFRAG_LOCAL_DELIVER);
但这似乎喜欢被用于 NF_IP_LOCAL_IN
组装包的阶段,但我想在组装包 NF_IP_ pre_ROUING
阶段。
But this seems like to be used for assembling packets in NF_IP_LOCAL_IN
stage, but the i want the assembled packet in NF_IP_PRE_ROUING
stage.
任何帮助将AP preciated。
Any help on this will be appreciated.
推荐答案
设置 CONFIG_NF_DEFRAG_IPV4
,这是在 /网/的IPv4 / netfilter的定义/的Kconfig
,其钩 ipv4_defrag_ops []
将坐在 NF_INET_ pre_ROUTING
和 NF_INET_LOCAL_OUT
。而你的钩子应该是一个优先级高于 NF_IP_PRI_CONNTRACK_DEFRAG
较大,因此,您挂钩后执行ipv4_defrag_ops []的
,其中愿意为你做组装,在 NF_IP_ pre_ROUING
阶段。在此之后, SKB
去你的挂钩,应该是一个组合包。
Set CONFIG_NF_DEFRAG_IPV4
, which is defined in /net/ipv4/netfilter/Kconfig
, its hooks ipv4_defrag_ops[]
would sit at NF_INET_PRE_ROUTING
and NF_INET_LOCAL_OUT
. And your hooks should be of a priority larger than NF_IP_PRI_CONNTRACK_DEFRAG
, therefore, your hooks are executed after ipv4_defrag_ops[]
, which would do assembly for you, at NF_IP_PRE_ROUING
stage. After that, the skb
goes to your hooks, should be a assembled packet.
这篇关于利用Netfilter的封装和解封装IPv4数据包的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!