If you are willing to write some code, then you can write a small
kernel module which will collect all the packets from ethernet card.
You get the packet, manipulate it, recalculate the checksum and push
it back to the card. I have tried doing this to manipulate some other
fields. It works.
For reference see the following article from phrack:
http://www.phrack.org/phrack/55/P55-12
cheers,
~Manu
On 4/15/05, João Paulo Caldas Campello <protecao@gmail.com> wrote:
On 4/14/05, Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> wrote:
Currently, iptables doesn't seem to support that, probably to keep you from
shooting yourself in the foot. Consider for example how fast the kernel
will
fold up if you change that first nybble of the packet from an x'4' to an
x'6'
without changing the rest of the packet to match. Suddenly, that sk_buff is
a lot too short.. ;)
Yeah, maybe, who knows :P
Well, I've did some searching last days and found a couple ways to
achieve what I've described in my email.
One is using "DIVERT sockets" and other is the use of the "-j QUEUE"
target of iptables/netfilter. Both approaches are similar: you match a
packet using iptables to flush them to userspace, where you can mangle
the entire packet as you like and send it back to iptables, who will
put it again onto the stack.
The "-j QUEUE" approach is manipulated through the "libipq" API:
- netfilter can feed userspace using IPQUEUE:
* http://www.crhc.uiuc.edu/~grier/projects/libipq.html
- Perl:
* http://www.intercode.com.au/jmorris/perlipq/
- Python:
* http://woozle.org/~neale/src/ipqueue/
As you can see, there's already libraries written in Perl and Python
to query IPQUEUE, so the effort of writing userspace code to deal with
IP packets wiil be much more easier.
That's it =)
Cheers,
João Paulo.
--
Manu Garg
http://manugarg.freezope.org
"Truth will set you free!"
