除iptables之外的数据包处理实用程序? [英] Packet mangling utilities besides iptables?
问题描述
我正在寻找一个Linux实用程序,该实用程序可以根据一组规则来更改网络数据包的有效负载.理想情况下,我将使用iptables和netfilter内核模块,但它们不支持通用有效载荷处理:iptables将更改各种 header 字段(地址,端口,TOS等) ),它可以匹配一个数据包中的任意字节,但显然无法更改该数据包中的任意数据.
I'm looking for a linux utility that can alter the payloads of network packets based on a set of rules. Ideally, I'd use iptables and the netfilter kernel module, but they don't support generic payload mangling: iptables will alter various header fields (addresses, ports, TOS, etc), and it can match arbitrary bytes within a packet, but it apparently is unable to alter arbitrary data within the packet.
内核模块将是一个很大的优势,因为效率是一个问题,但是我很高兴探索其他可以完成任务的选择.
A kernel module would be a big plus, as efficiency is a concern, but I'm happy to explore any other options that would get the job done.
感谢您的想法!
逾期更新:
我们选择使用NFQUEUE模块,这是Robert Gamble建议的QUEUE模块的最新实现.它看起来相当简单,并具有安全性优势,它允许我们的代码在用户而非内核空间中运行.
We chose to use the NFQUEUE module, which is the latest implementation of the QUEUE modules that Robert Gamble suggested. It appeared to be fairly simple, with a safety bonus for allowing our code to run in user, not kernel, space.
如果我们只是想更改有效负载而不更改其大小,则实现几乎是微不足道的.在这种情况下,我们将定义一个 iptables 规则以选择有趣的"数据包发送给我们,并向他们发送NFQUEUE目标.我们将编写一个回调函数,该函数将检查来自NFQUEUE的数据包,根据需要修改数据,然后重新计算其TCP和IP标头中的校验和.
The implementation would have been almost trivial if we'd simply wanted to alter the payload without changing its size. In that case, we'd define an iptables rule to select the "interesting" packets for us and send them an NFQUEUE target. We'd write a callback function that would inspect the packets from NFQUEUE, modify the data as required, and recalculate the checksums in their TCP and IP headers.
但是,我们的用例涉及向数据流中注入其他字符.这具有增加TCP流中相应SEQ/ACK编号的明显副作用,并且具有混淆
However, our use case involves injecting additional characters into the data stream. This has the somewhat obvious side-effect of increasing the corresponding SEQ/ACK numbers in the TCP stream, and the not-so-obvious side-effect of confusing the conntrack module enough that it breaks NAT entirely. After a lot of research, head-scratching, and experimentation, the most expedient solution was to disable connection tracking for these particular packets (with the NOTRACK target in the raw table) and handle it in our callback. Save your tomatoes and hate mail; I'm not at all proud to let you under the hood, but it was the only way to get a reliable product to the customer before the next Ice Age. And it's a good story. But I truly appreciate, and share, your heartfelt sentiments.
Version 2 will leverage our newfound enlightenment by replacing our callback and several iptables rules with a custom NAT and/or conntrack helper. We're confident that the current exercise has given us enough experience to create a kernel module that will fit organically into the netfilter architecture to solve the problems we encountered.
推荐答案
I haven't used it, but the QUEUE netfilter target looks like it might work. It uses an nflink socket and a userspace application registered to the socket to perform the payload modifications.
libipq 手册页包含有关如何使用它的详细信息,并提供了一个简单的示例
The libipq man page contains details on how to use this and provides a simple example.
这篇关于除iptables之外的数据包处理实用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
