[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    If the hooked SYN packets return with NS_STOLEN, TCP cannot successfully establish the connection
From:       Lawrence Lee <lawrenceqli () gmail ! com>
Date:       2013-04-16 14:52:18
Message-ID: CAGXkBO_x2jKXfSPvETcH3bi9Rsx_JEG8X5nTPF1Vghv+HavQ2g () mail ! gmail ! com
[Download RAW message or body]

Hi All,

In NF_IP_LOCAL_OUT, I hooked the TCP SYN packets and directly sent out
by dev_queue_xmit, and return with NS_STOLEN. The packets can be
successfully sent out, and the peer replies with SYN+ACK.
Unfortunately, the local host does not accept the packet but replies
with ICMP error information, i.e., destination unreachable (host
administratively prohibited.

Actually, it is the same case if UDP request packets are hooked in the
NF_IP_LCOAL_OUT hook and are return with NS_STOLEN. The UDP response
packets will be dropped with an ICMP error packet.

I look into the source code. It seems that in the ip_local_deliver()
function, return NF_HOOK(PF_INET, NF_INET_LOCAL_IN, skb, skb->dev,
NULL, ip_local_deliver_finish) does not get in
ip_local_deliver_finish(), but call the icmp_send() function to send
an destination unreachable message.

May I know what is up and how to fix this issue? Thank you very much!

Best Regards,
Lawrence
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]