gpt4 book ai didi

c - 标记数据包以通过原始套接字发送

转载 作者:塔克拉玛干 更新时间:2023-11-03 01:08:02 24 4
gpt4 key购买 nike

我有以下通过原始套接字发送数据包的函数。

#include <unistd.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/udp.h>

#include "pkt-types.h"
#include "pkt-log.h"
#include "pkt-utils.h"

int
send_packet_raw (void *data, int size)
{
log_message (LOG_DEBUG, " inside send_packet_raw");
int sd;
struct iphdr *iph = (struct iphdr *) data;
struct udphdr *udph = (struct udphdr *) (data + sizeof (struct ip));
struct sockaddr_in sin;
// needed for notify kernel to not to build header for this
int one = 1;
const int *val = &one;
// creating a socket
if ((sd = socket (PF_INET, SOCK_RAW, IPPROTO_UDP)) < 0)
{
log_message (LOG_ERROR, " problem creating a socket");
return EXITCODE_SOCK_CREATION_FAILED;
}
// setting address family
sin.sin_family = AF_INET;
// setting port
sin.sin_port = udph->dest;
// setting ip
sin.sin_addr.s_addr = iph->daddr;
// notifying kernel do not fill up the packet structure.
if (setsockopt (sd, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)
{
log_message (LOG_ERROR, "error notifying kernel about raw socket");
return EXITCODE_SOCK_KERN_NOTIF_FAILED;
}
/* setting socket option to use MARK value */
if (setsockopt (sd, SOL_SOCKET, SO_MARK, val, sizeof (one)) < 0)
{
log_message (LOG_ERROR, "error notifying kernel about MARK");
return EXITCODE_SOCK_MARK_FAILED;
}
#ifdef CHECKSUM
/* compute checksum */
udph->check = udp_checksum (data + IP_OFFSET, size - IP_OFFSET, iph->saddr, iph->daddr);
/* testing purposed */
#else
udph->check = 0x00;
#endif
/* dscp 101000 means express forwarding */
if (sendto (sd, /* our socket */
data, /* data to send */
size, /* total length of our ip packet */
0, /* routing flag, normally always zero */
(struct sockaddr *) &sin, /* socket addr */
sizeof (sin)) < 0)
{
log_message (LOG_ERROR, "sending over raw socket failed");
return EXITCODE_SOCK_SEND_FAILED;
}
else
{
/* shutdown the socket */
if(shutdown (sd, 2)) /* shutdown ok */
return EXITCODE_OK;
}
}

现在我正在从 libnetfilter_queue 的 nfq_set_verdict2() 设置标记:http://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__Queue.html

int nfq_set_verdict2    (   struct nfq_q_handle *   qh,
u_int32_t id,
u_int32_t verdict,
u_int32_t mark,
u_int32_t data_len,
const unsigned char * buf
)
nfq_set_verdict2 - like nfq_set_verdict, but you can set the mark.

Parameters:
qh Netfilter queue handle obtained by call to nfq_create_queue().
id ID assigned to packet by netfilter.
verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)
mark mark to put on packet
data_len number of bytes of data pointed to by buf
buf the buffer that contains the packet data

当我收到来自 netfilter_queue 的数据包时,我会执行以下操作:

nfq_set_verdict(..,NF_DROP,MARK,...);
process_packet();

这个 process_packet() 调用 send_packet_raw()。

关联的 iptable 规则:

$iptables -t mangle -A PREROUTING -m mark --mark 0xa -j ACCEPT
$iptables -t mangle -A PREROUTING -p udp --dport $PORT -j NFQUEUE
$iptables -t mangle -A OUTPUT -m mark --mark 0xa -j ACCEPT
$iptables -t mangle -A OUTPUT -p udp --sport $PORT -j NFQUEUE

我还设置了一些 -j 日志规则来查看数据包是否实际匹配。但由于没有显示日志条目,因此数据包似乎既没有发出也没有进入。无法理解如何在此处找到问题。

最佳答案

不太确定问题是什么,但是

nfq_set_verdict(..,NF_DROP,MARK,...);
process_packet();

看起来很糟糕。我不会在处理数据包之前调用 NF_DROP。我写了几个隧道程序,我首先处理数据包,把它放在我的缓冲区中,发出一个 NF_DROP。在此之后,我可以使用原始套接字从缓冲区重新发出数据包。所以:

process_packet();    
nfq_set_verdict(..,NF_DROP,MARK,...);

会更好。至少在发布判决之前复制数据包数据。

关于c - 标记数据包以通过原始套接字发送,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/10653655/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com