Linux libnetfilter_queue delayed packet problem

1
votes

I have to filter and modify network traffic using Linux kernel libnetfilter_queue (precisely the python binding) and dpkt, and i'm trying to implement delayed packet forward.

Normal filtering works really well, but if i try to delay packets with function like this

def setVerdict(pkt, nf_payload):
    nf_payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt))


t = threading.Timer(10, setVerdict, [pkt, nf_payload])
t.start()

It crashs throwing no exception (surely is a low level crash). Can i implement delay using directly libnetfilter like this or I must copy pkt, drop it and send the copy using standard socket.socket.send()?

Thank you

2
pythonlinuxnetworkingnetfilter

2 Answers

3
votes

Sorry for the late reply, but I needed to do something like this, although slightly more complicated. I used the C-version of the library and I copied packets to a buffer inside my program, and then issued a DROP verdict. After a timeout relating to your delay, I reinject the packet using a raw socket. This works fine, and seems quite efficient.

I think the reason for your crash was due to the fact that you didnt issue a verdict fast enough.

0
votes

I can't answer your question, but why not use the "netem" traffic-queue module on the outgoing interface to delay the packet?

It is possible to configure tc queues to apply different policies to packets which are "marked" in some way; the normal way to mark such packets is with a netfilter module (e.g. iptables or nfqueue).