Chinaunix首页 | 论坛 | 博客

codercodercoder!

首页 |  博文目录 |  关于我

humengez

  • 博客访问: 80454
  • 博文数量: 29
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 225
  • 用 户 组: 普通用户
  • 注册时间: 2014-03-06 15:31
文章分类

全部博文(29)

文章存档

2015年(18)

2014年(11)

我的朋友
最近访客
推荐博文
相关博文
用netfilter_queue在用户态实现nat

分类: LINUX

2015-01-06 16:38:48

偶尔在网上看到了这篇文章,
并结合中的例子,
然后修改了一下tcp计算checksum部分,在linux2.6.24上用netfilter_queue在用户态实现NAT

程序功能: 将输出端目的地为 220.181.37.55 的包,都改为目的地为 202.118.236.130,输入段反之,达到DNAT的一小半功能,完整的NAT要做状态记录的.

直接上代码:

nf_queue_test.c

点击(此处)折叠或打开

  1. /*
  2.  * =====================================================================================
  3.  *
  4.  * Filename: nf_queue_test.c
  5.  *
  6.  * Description: 用netfilter_queue 在用户态修改网络数据包的例子程序
  7.  *
  8.  * Version: 1.0
  9.  * Created: 04/02/2010 09:49:48 AM
  10.  * Revision: none
  11.  * Compiler: gcc
  12.  *
  13.  * Author: LeiuX (xulei), xulei@pact518.hit.edu.cn
  14.  * Company: HIT
  15.  *
  16.  * =====================================================================================
  17.  */

  19. #include <stdio.h>
  20. #include <stdlib.h>
  21. #include <unistd.h>
  22. #include <netdb.h>
  23. #include <string.h>
  24. #include <netinet/in.h>
  25. #include <arpa/inet.h>

  27. #include <asm/byteorder.h>
  28. #include <linux/netfilter.h>
  29. #include <libnetfilter_queue/libnetfilter_queue.h>
  30. #include <linux/ip.h>
  31. #include <linux/tcp.h>

  33. #ifdef __LITTLE_ENDIAN
  34. #define IPQUAD(addr) \
  35. ((unsigned char *)&addr)[0], \
  36. ((unsigned char *)&addr)[1], \
  37. ((unsigned char *)&addr)[2], \
  38. ((unsigned char *)&addr)[3]
  39. #else
  40. #define IPQUAD(addr) \
  41. ((unsigned char *)&addr)[3], \
  42. ((unsigned char *)&addr)[2], \
  43. ((unsigned char *)&addr)[1], \
  44. ((unsigned char *)&addr)[0]
  45. #endif

  47. struct tcp_pseudo /*the tcp pseudo header*/
  48. {
  49.   __u32 src_addr;
  50.   __u32 dst_addr;
  51.   __u8 zero;
  52.   __u8 proto;
  53.   __u16 length;
  54. } pseudohead;


  57. long checksum(unsigned short *addr, unsigned int count) {
  58.   /* Compute Internet Checksum for "count" bytes
  59.    * beginning at location "addr".
  60.    */
  61.   register long sum = 0;

  63.   while( count > 1 ) {
  64.     /* This is the inner loop */
  65.     sum += * addr++;
  66.     count -= 2;
  67.   }
  68.   /* Add left-over byte, if any */
  69.   if( count > 0 )
  70.     sum += * (unsigned char *) addr;

  72.   /* Fold 32-bit sum to 16 bits */
  73.   while (sum>>16)
  74.     sum = (sum & 0xffff) + (sum >> 16);

  76.   return ~sum;
  77. }


  80. /*************************tcp checksum**********************/
  81. long get_tcp_checksum(struct iphdr * myip, struct tcphdr * mytcp) {

  83.   __u16 total_len = ntohs(myip->tot_len);

  85.   int tcpopt_len = mytcp->doff*4 - 20;
  86.   int tcpdatalen = total_len - (mytcp->doff*4) - (myip->ihl*4);

  88.   pseudohead.src_addr=myip->saddr;
  89.   pseudohead.dst_addr=myip->daddr;
  90.   pseudohead.zero=0;
  91.   pseudohead.proto=IPPROTO_TCP;
  92.   pseudohead.length=htons(sizeof(struct tcphdr) + tcpopt_len + tcpdatalen);

  94.   int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr) + tcpopt_len +tcpdatalen;
  95.   //unsigned short * tcp = new unsigned short[totaltcp_len];

  97.   unsigned short * tcp = malloc(totaltcp_len);


  100.   memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo));
  101.   memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char*)mytcp,sizeof(struct tcphdr));
  102.   memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo)+sizeof(struct tcphdr),(unsigned char *)myip+(myip->ihl*4)+(sizeof(struct tcphdr)), tcpopt_len);
  103.   memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo)+sizeof(structtcphdr)+tcpopt_len, (unsigned char *)mytcp+(mytcp->doff*4), tcpdatalen);

  105.   /* printf("pseud length: %d\n",pseudohead.length);
  106.           printf("tcp hdr length: %d\n",mytcp->doff*4);
  107.           printf("tcp hdr struct length: %d\n",sizeof(struct tcphdr));
  108.           printf("tcp opt length: %d\n",tcpopt_len);
  109.           printf("tcp total+psuedo length: %d\n",totaltcp_len);

  111.           fflush(stdout);

  113.           printf("tcp data len: %d, data start %u\n", tcpdatalen,mytcp + (mytcp->doff*4));
  114.    */


  117.   return checksum(tcp,totaltcp_len);

  119. }

  121. static u_int16_t tcp_checksum(struct iphdr* iphdrp){
  122.   struct tcphdr *tcphdrp =
  123.     (struct tcphdr*)((u_int8_t*)iphdrp + (iphdrp->ihl<<2));
  124.   return get_tcp_checksum(iphdrp, tcphdrp);
  125. }

  127. static void set_tcp_checksum(struct iphdr* iphdrp){
  128.   struct tcphdr *tcphdrp =
  129.     (struct tcphdr*)((u_int8_t*)iphdrp + (iphdrp->ihl<<2));
  130.   tcphdrp->check = 0;
  131.   tcphdrp->check = get_tcp_checksum(iphdrp, tcphdrp);
  132. }
  133. /****************************tcp checksum end****************************/


  136. /********************************Ip checksum*****************************/
  137. static u_int16_t ip_checksum(struct iphdr* iphdrp){
  138.   return checksum((unsigned short*)iphdrp, iphdrp->ihl<<2);
  139. }

  141. static void set_ip_checksum(struct iphdr* iphdrp){
  142.   iphdrp->check = 0;
  143.   iphdrp->check = checksum((unsigned short*)iphdrp, iphdrp->ihl<<2);
  144. }
  145. /****************************Ip checksum end******************************/

  147. static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
  148.     struct nfq_data *nfa, void *data){
  149.   (void)nfmsg;
  150.   (void)data;
  151.   u_int32_t id = 0;
  152.   struct nfqnl_msg_packet_hdr *ph;
  153.   unsigned char *pdata = NULL;
  154.   int pdata_len;

  156.   ph = nfq_get_msg_packet_hdr(nfa);
  157.   if (ph){
  158.     id = ntohl(ph->packet_id);
  159.   }

  161.   pdata_len = nfq_get_payload(nfa, (char**)&pdata);
  162.   if(pdata_len == -1){
  163.     pdata_len = 0;
  164.   }

  166.   struct iphdr *iphdrp = (struct iphdr *)pdata;

  168.   printf("len %d iphdr %d %u.%u.%u.%u ->",
  169.       pdata_len,
  170.       iphdrp->ihl<<2,
  171.       IPQUAD(iphdrp->saddr));
  172.   printf(" %u.%u.%u.%u %s",
  173.       IPQUAD(iphdrp->daddr),
  174.       getprotobynumber(iphdrp->protocol)->p_name);
  175.   printf(" ipsum %hu", ip_checksum(iphdrp));
  176.   if(iphdrp->protocol == IPPROTO_TCP){
  177.     printf(" tcpsum %hu", tcp_checksum(iphdrp));
  178.   }

  180. #define TO "220.181.37.55"
  181. #define DNAT_TO "202.118.236.130"

  183.   if(iphdrp->daddr == inet_addr(TO)){
  184.     printf(" !hacked!");
  185.     iphdrp->daddr = inet_addr(DNAT_TO);
  186.     set_ip_checksum(iphdrp);
  187.     if(iphdrp->protocol == IPPROTO_TCP){
  188.       set_tcp_checksum(iphdrp);
  189.       printf(" ipsum+ %hu tcpsum+ %hu",
  190.           ip_checksum(iphdrp), tcp_checksum(iphdrp));
  191.     }
  192.   }

  194.   if(iphdrp->saddr == inet_addr(DNAT_TO)){
  195.     iphdrp->saddr = inet_addr(TO);
  196.     printf(" !hacked!");
  197.     set_ip_checksum(iphdrp);
  198.     if(iphdrp->protocol == IPPROTO_TCP){
  199.       set_tcp_checksum(iphdrp);
  200.       printf(" ipsum+ %hu tcpsum+ %hu",
  201.           ip_checksum(iphdrp), tcp_checksum(iphdrp));
  202.     }
  203.   }

  205.   printf("\n");

  207.   return nfq_set_verdict_mark(qh, id, NF_REPEAT, 1,
  208.       (u_int32_t)pdata_len, pdata);
  209. }

  211. int main(int argc, char **argv)
  212. {
  213.   struct nfq_handle *h;
  214.   struct nfq_q_handle *qh;
  215.   struct nfnl_handle *nh;
  216.   int fd;
  217.   int rv;
  218.   char buf[4096];

  220.   h = nfq_open();
  221.   if (!h) {
  222.     exit(1);
  223.   }

  225.   nfq_unbind_pf(h, AF_INET);

  227.   /*2.6.24 的内核有BUG, nfq_unbind_pf 返回值不正确,
  228.     见:http://article.gmane.org/gmane.c ... ilter.general/33573*/

  230.   /*
  231.      if (nfq_unbind_pf(h, AF_INET) < 0){
  232.      exit(1);
  233.      }
  234.   */

  236.   if (nfq_bind_pf(h, AF_INET) < 0) {
  237.     exit(1);
  238.   }

  240.   int qid = 0;
  241.   if(argc == 2){
  242.     qid = atoi(argv[1]);
  243.   }
  244.   printf("binding this socket to queue %d\n", qid);
  245.   qh = nfq_create_queue(h, qid, &cb, NULL);
  246.   if (!qh) {
  247.     exit(1);
  248.   }

  250.   if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
  251.     exit(1);
  252.   }

  254.   nh = nfq_nfnlh(h);
  255.   fd = nfnl_fd(nh);

  257.   while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
  258.     nfq_handle_packet(h, buf, rv);
  259.   }

  261.   /* never reached */
  262.   nfq_destroy_queue(qh);

  264.   nfq_close(h);

  266.   exit(0);
  267. }

阅读(1153) | 评论(0) | 转发(0) |
0

上一篇:Linux内核IP Queue机制的分析(一)——用户态接收数据包

下一篇:netfilter_queue修改网络报文示例

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6