ideality

@linux c 编程@

日志

关于我

cooliron

喜欢开源,愿意结识青岛使用开源的朋友,一起学习,工作。

文章分类

教你修改以及重构skb(转)

2012-12-25 21:32:23| 分类： netfilter | 标签： |举报 |字号大中小订阅

下载LOFTER 我的照片书 |

测试环境：
CentOS5.3 2.6.18
工具:
sendip和wireshark
sendip可以发送各种数据包,确实方便.wireshark图形化的显示对于分析整个数据包还是相当不错的...

一：内核态基于Netfilter构造数据包
主要有两种方式：
1. alloc_skb申请一个skb结构体，然后根据实际的应用填充不同的成员，或者基于当前数据包的skb，
调用skb_copy() pskb_copy() skb_copy_expand()等新申请一个nskb，并且拷贝skb的内容。
2. 直接在先前接收到的数据包skb上作修改，主要有源IP、目IP，如果是TCP/UDP协议的话，还有源端口目的端口号。
就是根据你自己的需求去调整数据包的相关成员即可。然后重新计算各个部分的校验和。

不管你第一种方式还是第二种方式,你需要知道你也必须知道的就是对于l2 l3 l4层的数据你都必须去构造,我之前就是
由于没有构造L2而郁闷了一天...
让我们先从一个小程序开始,把5个hook都挂上mac这个函数,主要就是看看l2，对于l3 l4以及应用层我以前的几个帖子里面
已经有很多了,这里就不说了

printk("------begin %s--------\n", hooks[hooknum]);
print_ipproto(iph->protocol);
printk("len is %d, data len is %d\n", nskb->len, nskb->data_len);
if(nskb->mac_len > 0)
{
eth = (struct ethhdr*)(nskb->mac.raw);
print_mac(eth);
}
printk("------end %s--------\n", hooks[hooknum]);

复制代码

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/netdevice.h>
#include <linux/if_ether.h>
#include <linux/if_packet.h>
#include <net/tcp.h>
#include <net/udp.h>
#include <net/icmp.h>
#include <linux/netfilter_ipv4.h>
#define MAC_FMT "%02x:%02x:%02x:%02x:%02x:%02x"
#define MAC_ARG(x) ((u8*)(x))[0],((u8*)(x))[1],((u8*)(x))[2],((u8*)(x))[3],((u8*)(x))[4],((u8*)(x))[5]
MODULE_LICENSE("GPL");
MODULE_AUTHOR("kenthy@163.com");
const char* hooks[] ={ "NF_IP_PRE_ROUTING",
"NF_IP_LOCAL_IN",
"NF_IP_FORWARD",
"NF_IP_LOCAL_OUT",
"NF_IP_POST_ROUTING"};
void print_ipproto(int proto)
{
switch(proto)
{
case IPPROTO_ICMP:
printk("%s\n", "IPPROTO_ICMP");
break;
case IPPROTO_TCP:
printk("%s\n", "IPPROTO_TCP");
break;
case IPPROTO_UDP:
printk("%s\n", "IPPROTO_UDP");
break;
default:
printk("%s\n", "other IPPROTO");
}
}
void print_mac(struct ethhdr* eth)
{
if(eth==NULL)
return;
if(eth->h_source!=NULL)
printk("SOURCE:" MAC_FMT "\n", MAC_ARG(eth->h_source));
if(eth->h_dest!=NULL)
printk("DEST:" MAC_FMT "\n", MAC_ARG(eth->h_dest));
}
unsigned int
mac(unsigned int hooknum,
struct sk_buff** skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff*))
{
struct sk_buff* nskb;
struct iphdr *iph = NULL;
struct ethhdr* eth;
nskb = *skb;
if(nskb==NULL)
{
printk("%s\n", "*skb is NULL");
return NF_ACCEPT;
}
iph = ip_hdr(nskb);
if(iph == NULL)
{
printk("%s\n", "*iph is NULL");
return NF_ACCEPT;
}
printk("------begin %s--------\n", hooks[hooknum]);
print_ipproto(iph->protocol);
printk("len is %d, data len is %d\n", nskb->len, nskb->data_len);
if(nskb->mac_len > 0)
{
eth = (struct ethhdr*)(nskb->mac.raw);
print_mac(eth);
}
else
printk("%s", "mac is NULL");
printk("------end %s--------\n", hooks[hooknum]);
return NF_ACCEPT;
}
static struct nf_hook_ops mac_ops[] = {
{
.hook = mac,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_FIRST,
},
{
.hook = mac,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
.priority = NF_IP_PRI_FIRST,
},
{
.hook = mac,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_FORWARD,
.priority = NF_IP_PRI_FIRST,
},
{
.hook = mac,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_OUT,
.priority = NF_IP_PRI_FIRST,
},
{
.hook = mac,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_POST_ROUTING,
},
};
static int __init init(void)
{
int ret;
ret = nf_register_hooks(mac_ops, ARRAY_SIZE(mac_ops));
if (ret < 0) {
printk("http detect:can't register mac_ops detect hook!\n");
return ret;
}
printk("insmod mac_ops detect module\n");
return 0;
}
static void __exit fini(void)
{
nf_unregister_hooks(mac_ops, ARRAY_SIZE(mac_ops));
printk("remove mac_ops detect module.\n");
}
module_init(init);
module_exit(fini);

复制代码

  insmod mac.ko加载mac模块后,随便发个ping包
  Jan 10 09:44:13 nfs-client kernel: ------begin NF_IP_LOCAL_OUT--------
Jan 10 09:44:13 nfs-client kernel: IPPROTO_ICMP
Jan 10 09:44:13 nfs-client kernel: len is 84, data len is 0
Jan 10 09:44:13 nfs-client kernel: mac is NULL------end  NF_IP_LOCAL_OUT--------
Jan 10 09:44:13 nfs-client kernel: ------begin NF_IP_PRE_ROUTING--------
Jan 10 09:44:13 nfs-client kernel: IPPROTO_ICMP
Jan 10 09:44:13 nfs-client kernel: len is 84, data len is 0
Jan 10 09:44:13 nfs-client kernel: SOURCE:00:50:56:fa:70:2a
Jan 10 09:44:13 nfs-client kernel: DEST:00:0c:29:4f:de:ac
Jan 10 09:44:13 nfs-client kernel: ------end  NF_IP_PRE_ROUTING--------
Jan 10 09:44:13 nfs-client kernel: ------begin NF_IP_LOCAL_IN--------
Jan 10 09:44:13 nfs-client kernel: IPPROTO_ICMP
Jan 10 09:44:13 nfs-client kernel: len is 84, data len is 0
Jan 10 09:44:13 nfs-client kernel: SOURCE:00:50:56:fa:70:2a
Jan 10 09:44:13 nfs-client kernel: DEST:00:0c:29:4f:de:ac
Jan 10 09:44:13 nfs-client kernel: ------end  NF_IP_LOCAL_IN--------
可以看到对于挂载在out上的数据包mac已经被剥掉

当接收一个包时，处理n层协议头的函数从n-1层收到一个缓冲区，它的skb->data指向n层协议的头。处理n层协议的函数把本层的指针(例如，L3对应的是skb->nh指针)初始化为skb->data，因为这个指针的值会在处理下一层协议时改变(skb->data将被初始化成缓冲区里的其他地址)。在处理n层协议的函数结束时，在把包传递给n+1层的处理函数前，它会把skb->data指针指向n层协议头的末尾，这正好是n+1层协议的协议头。

发送包的过程与此相反，但是由于要为每一层添加新的协议头，这个过程要比接收包的过程复杂。

评论这张

转发至微博

阅读(626)| 评论(0)

历史上的今天

this.p={  m:2,
              b:2,
              loftPermalink:'',
              id:'fks_087065086085085068085082083066072087083071083086085066087094',
              blogTitle:'教你修改以及重构skb(转)',
              blogAbstract:'<table cellspacing=\"0\"  cellpadding=\"0\"  style=\"word-wrap: break-word; empty-cells: show; border-collapse: collapse; table-layout: fixed; width: 855.2000122070313px; color: rgb(0, 0, 0); font-family: song, Verdana; font-size: 12px; line-height: normal; text-align: start; background-color: rgb(240, 243, 250);\"  \><tbody style=\"word-wrap: break-word;\"  \><tr style=\"word-wrap: break-word;\"  \><td id=\"postmessage_13967023\"  style=\"word-wrap: break-word; font-size: 14px; line-height: 1.6em;\"  \>测试环境：<br style=\"word-wrap: break-word;\"  \>   CentOS5.3 2.6.18<br style=\"word-wrap: break-word;\"  \>工具:<br style=\"word-wrap: break-word;\"  \>   sendip和wireshark<br style=\"word-wrap: break-word;\"  \>   sendip可以发送各种数据包,确实方便.wireshark图形化的显示对于分析整个数据包还是相当不错的...</td\></tr\></table\>',
              blogTag:'',
              blogUrl:'blog/static/1247031382012112593215109',
              isPublished:1,
              istop:false,
              type:0,
              modifyTime:1356442343375,
              publishTime:1356442343327,
              permalink:'blog/static/1247031382012112593215109',
              commentCount:0,
              mainCommentCount:0,
              recommendCount:0,
              bsrk:-100,
              publisherId:0,
              recomBlogHome:false,
              currentRecomBlog:false,
              attachmentsFileIds:[],
              vote:{},
              groupInfo:{},
              friendstatus:'none',
              followstatus:'unFollow',
              pubSucc:'',
              visitorProvince:'',
              visitorCity:'',
              visitorNewUser:false,
              postAddInfo:{},
              mset:'000',
              mcon:'',
              srk:-100,
              remindgoodnightblog:false,
              isBlackVisitor:false,
              isShowYodaoAd:false,
              hostIntro:'  喜欢开源,愿意结识青岛使用开源的朋友,一起学习,工作。',
              hmcon:'1',
              selfRecomBlogCount:'0',
              lofter_single:'<iframe width="140" height="560" style="overflow:hidden;" src="http://www.lofter.com/mailEntry.do?blogad=1&blog" frameBorder="0"></iframe>'
            }

{list a as x}
    {if !!x}
    <div class="iblock nbw-fce nbw-f40">
      <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.visitorName}/">
      {if x.visitorName==visitor.userName}
      <img alt="${x.visitorNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.visitorName)}&r=${visitor.imageUpdateTime}"/>
      {else}
      <img alt="${x.visitorNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.visitorName)}"/>
      {/if}
      </a>
      <div class="cwd vname thide">
        {if x.moveFrom=='wap'}
          <a class="noul pnt" target="_blank" href="http://blog.163.com/services/wapblog.html?frompersonalbloghome"><span title="来自网易手机博客" class="iblock wapIcon"> </span></a>
        {elseif x.moveFrom=='iphone'}
          <a class="noul pnt" target="_blank"><span title="来自iPhone客户端" class="iblock iphoneIcon"> </span></a>
        {elseif x.moveFrom=='android'}
          <a class="noul pnt" target="_blank"><span title="来自Android客户端" class="iblock androidIcon"> </span></a>
        {elseif x.moveFrom=='mobile'}
          <a class="noul pnt" target="_blank" href="http://blog.163.com/services/emsblog.html?frompersonalbloghome"><span title="来自网易短信写博" class="iblock wapIcon"> </span></a>
        {/if}
        <a class="fc03 m2a"  target="_blank" hidefocus="true" href="http://blog.163.com/${x.visitorName}/">
          ${fn(x.visitorNickname,8)|escape}
        </a>
      </div>
    </div>
    {/if}
    {/list}

<#--最新日志，群博日志--> <#--推荐日志-->

<p class="fc06">推荐过这篇日志的人：</p>
    <div>
      {list a as x}
      {if !!x}
      <div class="iblock nbw-fce nbw-f40">
        <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.recommenderName}/">
        <img alt="${x.recommenderNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.recommenderName)}"/>
        </a>
        <div class="cwd thide">
          <a class="fc03 m2a" target="_blank" hidefocus="true" href="http://blog.163.com/${x.recommenderName}/">
            ${fn(x.recommenderNickname,6)|escape}
          </a>
        </div>
      </div>
      {/if}
      {/list}
    </div>
    {if !!b&&b.length>0}
    <p  class="fc06">他们还推荐了：</p>
    <ul>
    {list b as y}
      {if !!y}
        <li class="rrb"><span class="iblock">·</span><a class="fc03 m2a" target="_blank" href="http://blog.163.com/${y.recommendBlogPermalink}/?from=blog/static/1247031382012112593215109">${y.recommendBlogTitle|escape}</a></li>
      {/if}
    {/list}
    </ul>
    {/if}

<#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇，下一篇--> <#-- 热度 -->

{list a as x}
    {if !!x}
    <div class="hotItem iblock nbw-fce nbw-f40">
      <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/">
      {if x.publisherUsername==visitor.userName}
      <img alt="${x.publisherNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.publisherUsername)}&r=${visitor.imageUpdateTime}"/>
      {else}
      <img alt="${x.publisherNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.publisherUsername)}"/>
      {/if}
      </a>
      <div class="cwd vname thide">
        <a class="fc03 m2a"  target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/">
          ${fn(x.publisherNickname,8)|escape}
        </a>
      </div>
      <a class="f-myLikeIcons hottype {if x.type==1} js-liketype{elseif x.type==2} js-reblogtype{elseif x.type==3} js-sharetype{else}{/if}" target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/"> </a>
    </div>
    {/if}
    {/list}

<#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->

页脚

我的照片书 - 手机博客 - 下载LOFTER APP - 订阅此博客

ideality

导航

日志

教你修改以及重构skb(转)

历史上的今天

最近读者

热度

评论

页脚