Week 11: TCP connection replay

[mrdude]

@twood02 My code is all in my fork of the ONVM repo.

My goal for this week was to extend my tcp_conn_track NF to allow it to proxy TCP handshakes. The NF will sit between a server on the local network and the outside world. When it receives a SYN packet for the server from the outside world, my NF will attempt to complete the handshake. If the client completes the handshake, my NF will then "replay" the handshake for the server it is protecting.

Each connection in tcp_conn_track is represented with an instance of struct connection. I started off by adding a flag to this struct named entering_network; a connection that was initiated from outside the local network will have this flag set to true. Packets for entering_network connections are processed slightly differently than others:

• the NF will intercept the initial SYN packet and respond to it with a SYN-ACK
• (TODO) once the client responds to the SYN-ACK, the NF then starts replaying the handshake for the remote server.

As of commit f640418, tcp_conn_track can intercept and respond to TCP SYNs from entering_network connections. However, the SYN-ACK sent by the NF is never received by the client. I think it might have to do with the fact that I don't recalculate the TCP checksum after modifying the packet.

TODO:

• figure out why the SYN-ACK is not recieved
• patch sequence numbers for entering_network connections