Linux Netfilter: Enqueue packets to the user-space before defragment

1
votes

The question is: How can I enqueue packets to the user-space with netfilter NFQUEUE before defragment?

According to Linux kernel source, nf_defrag_ipv4 is installed in NF_INET_PRE_ROUTING (known as PREROUTING in iptables/nftables) and NF_INET_LOCAL_OUT (OUTPUT).

So I tried the following anti-defrag nftables filter (original: https://stackoverflow.com/a/30638753/5167443) for NF_INET_LOCAL_OUT, but I'm still getting defragmented packets.

sudo nft add table filter
sudo nft add chain filter predefrag { type filter hook output priority -- -450 \; }
sudo nft add filter predefrag skuid nfqhooked counter queue num 42

In the above filter, -450 stands for a priority that precedes NF_IP_PRI_CONNTRACK_DEFRAG=-400. i.e., the filter is expected to work before nf_defrag_ipv4.

I'm using Linux 3.19 (Ubuntu 15.04) and this my own binding for libnetfilter_queue.so.1.

1
linux-kerneliptablesnetfilterip-fragmentation

1 Answers

0
votes

I just resolved by myself.

I had misunderstood that netfilter handles TCP reassembly that is actually handled by "TCP Auto Corking".

Now I can get fragmented (i.e. non-corked) packets by just writing 0 to /proc/sys/net/ipv4/tcp_autocorking.

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f54b311142a92ea2e42598e347b84e1655caf8e3