0

I'm trying to create a firewall in C as a linux kernel module. as part of the firewall, I've implemented a hook function which performs packets inspection inside the PRE_ROUTING hook point. In the hook function I need to deduce the packet direction based on its source and destination networking devices. Whenever I try to extract the source and destination devices, in the packet inspection function, a kernel panic occurs and the OS crashes, and I have no idea why (I've followed linux/netfilter.h strictly). I would more than appreciate any help!

The relevant part of the hook function is as below:

unsigned int inspect_packet(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
    char *src_device;
    char *dst_device;

    src_device = state->in->name;
    dst_device = state->in->name;
    /* Deduce the packets direction by the networking devices direction */
    if (src_device[5] == IN_DEVICE_NUM && dst_device[5] == OUT_DEVICE_NUM)
    {
        /* some code */
    }
}

As you can see, I used (as in the header files) the state->in and state->out fields in order to extract the source and destination device of the packet.

Note: The kernel panic certainly occurs from the code above, the rest of the code is irrelevant.

Chris
  • 26,361
  • 5
  • 21
  • 42
Amit Gabay
  • 106
  • 2
  • 10
  • double checked that `state`, `in`, and `name` are all valid pointers? – yano Dec 13 '21 at 21:14
  • 2
    You're using the [pre-routing](https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks) hook, right? But if it's before routing, then the kernel hasn't decided what device to route it to yet. So it seems like `state->out` cannot be meaningful. – Nick ODell Dec 13 '21 at 21:22
  • You're right! thanks, this code actually worked for me in the FORWARDING hook and I've copied it to the PRE_ROUTING hook without realizing it's a non-sense. Now when I'm detecting the direction just by the state->in it actually works! – Amit Gabay Dec 13 '21 at 21:31
  • 1
    You could probably self-post and self-accept an answer if you solved your problem. – Marco Bonelli Dec 13 '21 at 21:56

1 Answers1

0

Solution:

As found in the comments above, the mistake which was made is the assumption the destination device of the packet is already assigned when the hook function was called. The assumption is problematic because the hook function is registered in the PRE_ROUTING hook and therefore still has no destination networking device. In order to solve the problem, we can deduce the packet direction just from the source device.

Here is the fixed version of the code:

unsigned int inspect_packet(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
    char *src_device;

    src_device = state->in->name;
    /* Deduce the packets direction just by the source networking device */
    if (src_device[5] == IN_DEVICE_NUM)
    {
        /* some code */
    }
}
Amit Gabay
  • 106
  • 2
  • 10