2

I have used netfilter hook functions to filter/sniff on outgoing IP packets. I'm looking to filter outgoing (from host) packets between IP layer and Link layer to look into Layer 2 information like - interface, MAC address. The NF_INET_POSTROUTING does not give mac address information as it is called in ip_output() before address resolution i guess.

I looked up ebtables hook functions, they seem to be related to Bridge INPUT/FORWARD/OUTPUT. If i understand, the outgoing packets from local tcp/ip do not go through bridge forwarding hooks. Is there way i can hook into packets between Linux IP and link layer to filter (DROP or modify) ...?

gdb007
  • 21
  • 4
  • I'm writing this as kernel mod driver. I may forward some packets to user space and prevent it going out on NIC. So, i really cant use iptable/ebtables commands since i need sk_buffer data. I need the full frame - eth, IP headers. – gdb007 Mar 30 '18 at 23:31

1 Answers1

0

I am not sure if there's a generic way to hook this, but some methods come to mind:

  • LD_PRELOAD socket operations: Supply a shared library with your own implementation of send(|to|msg)
  • Register a virtual TAP interface and have your application bind to it
  • Register a virtual interface in-kernel and have your application bind to it

The bonding driver is an example of the latter. Behind the scenes, it scatters egress traffic to slave devices and gathers ingress traffic from them.

I tried this in my uman driver. You can configure via DebugFS an interface to micro-manage. Any application binding to the uman0 virtual interface will have its egress traffic pass through uman_start_xmit and ingress traffic via uman_handle_frame, where you can add code to decide whether to forward/mangle/drop the packet. uman was a side product of my bachelor thesis and might not be fit for production use (If you make it fitter, pull requests are welcome :-).

a3f
  • 8,517
  • 1
  • 41
  • 46