I'm looking for a linux utility that can alter the payloads of network packets based on a set of rules. Ideally, I'd use iptables
and the netfilter
kernel module, but they don't support generic payload mangling: iptables
will alter various header fields (addresses, ports, TOS, etc), and it can match arbitrary bytes within a packet, but it apparently is unable to alter arbitrary data within the packet.
A kernel module would be a big plus, as efficiency is a concern, but I'm happy to explore any other options that would get the job done.
Thanks for your ideas!
Long-overdue Update:
We chose to use the NFQUEUE
module, which is the latest implementation of the QUEUE modules that Robert Gamble suggested. It appeared to be fairly simple, with a safety bonus for allowing our code to run in user, not kernel, space.
The implementation would have been almost trivial if we'd simply wanted to alter the payload without changing its size. In that case, we'd define an iptables
rule to select the "interesting" packets for us and send them an NFQUEUE
target. We'd write a callback function that would inspect the packets from NFQUEUE
, modify the data as required, and recalculate the checksums in their TCP and IP headers.
However, our use case involves injecting additional characters into the data stream. This has the somewhat obvious side-effect of increasing the corresponding SEQ/ACK numbers in the TCP stream, and the not-so-obvious side-effect of confusing the conntrack
module enough that it breaks NAT entirely. After a lot of research, head-scratching, and experimentation, the most expedient solution was to disable connection tracking for these particular packets (with the NOTRACK
target in the raw
table) and handle it in our callback. Save your tomatoes and hate mail; I'm not at all proud to let you under the hood, but it was the only way to get a reliable product to the customer before the next Ice Age. And it's a good story. But I truly appreciate, and share, your heartfelt sentiments.
Version 2 will leverage our newfound enlightenment by replacing our callback and several iptables
rules with a custom NAT and/or conntrack
helper. We're confident that the current exercise has given us enough experience to create a kernel module that will fit organically into the netfilter architecture to solve the problems we encountered.
I haven't used it, but the QUEUE netfilter target looks like it might work. It uses an nflink socket and a userspace application registered to the socket to perform the payload modifications.
The libipq man page contains details on how to use this and provides a simple example.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With