[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: Modifying data of a multiple packet connection with libnetfilter_queue
From:       Eric Leblond <eric () regit ! org>
Date:       2013-02-11 6:42:26
Message-ID: 1360564946.5195.22.camel () ice-age ! regit ! org
[Download RAW message or body]

Hi,
Le lundi 11 février 2013 à 12:47 +0800, Aaron Lewis a écrit :
> Hi,
> 
> Protocols like HTTP are segmented, so I must rebuild the whole
> incoming packet prior to modify it.
> 
> But with libnetfilter_queue, you receive one packet at time, and you
> just either ACCEPT or do other actions.
> 
> Do you think there's a way to let libnetfiter_queue buffer the packet
> before sending to userland program?
> So that in the callback I will see the whole packet.

You don't have to verdict one packet at a time. See again
https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/ for explanation.

> Any ideas? Or other alternatives is welcomed!

For HTTP, you will only be able to buffer and modify the packets in a
TCP window. So you will have HTTP messages that won't be handled by this
system. A working solution could be to use a (trasnparent maybe) proxy
to get the whole request.

Maybe you can use TPROXY mechanism if you want a good transparency.

BR,
--
Eric Leblond


["signature.asc" (application/pgp-signature)]
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[prev in list] [next in list] [prev in thread] [next in thread]