Seems cannot capture all forwarded packages in kernel module

chnbeta · January 7, 2019, 8:34am

I have written a kernel module to modify user-agent in all forwarded HTTP packages for kernel version 4.9, and it works well.
Since I have another router runing kernel 4.14, I should write nf_register_net_hook(&init_net, &nfho) instead of nf_register_hook(&nfho) . After compile and install, I found the module cannot capture some packages which destination ports are all less than 1024. What can I do to capture all the packages?

my test code is like this:

static struct nf_hook_ops nfho;

unsigned int hook_funcion(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
	// check if it is TCP package here

	printk("tcph->dest = %d", tcph->dest);
	if(tcph->dest != 80)
		return NF_ACCEPT;

    // do something here

	return NF_ACCEPT;
}

static int __init hook_init(void)
{
	int ret = 0;
	nfho.hook = hook_funcion;
	nfho.pf = NFPROTO_IPV4;
	nfho.hooknum = NF_INET_FORWARD;
	nfho.priority = NF_IP_PRI_MANGLE;
    ret = nf_register_net_hook(&init_net, &nfho);
	printk("xmurp-ua start\n");
	printk("nf_register_hook returnd %d\n", ret);

	return 0;
}

static void __exit hook_exit(void)
{
	nf_unregister_net_hook(&init_net, &nfho);
	printk("xmurp-ua stop\n");
}

this is part of my kernel log:
(no dest port less than 1024)

[ 1596.601063] tcph->dest = 15380
[ 1596.619027] tcph->dest = 2067
[ 1596.622388] tcph->dest = 14115
[ 1596.649652] tcph->dest = 47873
[ 1596.903875] tcph->dest = 1044
[ 1596.907796] tcph->dest = 20480
[ 1596.950417] tcph->dest = 20480
[ 1596.953985] tcph->dest = 1044
[ 1597.051657] tcph->dest = 20480
[ 1597.061290] tcph->dest = 29205
[ 1597.109917] tcph->dest = 1044
[ 1597.129058] tcph->dest = 20480
[ 1597.132366] tcph->dest = 1044
[ 1597.151498] tcph->dest = 20480
[ 1597.513850] tcph->dest = 1044
[ 1597.517715] tcph->dest = 20480
[ 1597.904445] tcph->dest = 1044
[ 1597.911922] tcph->dest = 20480
[ 1598.277374] tcph->dest = 1044
[ 1598.281972] tcph->dest = 20480
[ 1598.390774] tcph->dest = 47873
[ 1598.405492] tcph->dest = 14115
[ 1598.428335] tcph->dest = 11029
[ 1598.431651] tcph->dest = 11029
[ 1598.451623] tcph->dest = 14115
[ 1598.496708] tcph->dest = 2067
[ 1598.515683] tcph->dest = 47873
[ 1598.671040] tcph->dest = 1044
[ 1598.676368] tcph->dest = 20480
[ 1598.781044] tcph->dest = 20480
[ 1598.784667] tcph->dest = 1044
[ 1598.935491] tcph->dest = 1044
[ 1598.970062] tcph->dest = 20480
[ 1598.973473] tcph->dest = 1044
[ 1598.999175] tcph->dest = 20480
[ 1599.372445] tcph->dest = 1044
[ 1599.376848] tcph->dest = 20480
[ 1599.746570] tcph->dest = 1044
[ 1599.754935] tcph->dest = 20480
[ 1600.023671] tcph->dest = 47873
[ 1600.027202] tcph->dest = 32021
[ 1600.128045] tcph->dest = 1044

chnbeta · November 6, 2019, 3:24am

I have solve the problom by myself. Just to notice the endian.

// if(tcph -> dest != 80) This is wrong
if(ntohs(tcph -> dest) != 80)

tmomas · November 16, 2019, 3:24am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.