My goal for this week was to extend my tcp_conn_track NF to allow it to proxy TCP handshakes. The
NF will sit between a server on the local network and the outside world. When it receives a SYN
packet for the server from the outside world, my NF will attempt to complete the handshake.
If the client completes the handshake, my NF will then "replay" the handshake for the server it is
protecting.
Each connection in tcp_conn_track is represented with an instance of struct connection. I started
off by adding a flag to this struct named entering_network; a connection that was initiated from
outside the local network will have this flag set to true. Packets for entering_network connections are processed slightly differently than others:
(TODO) once the client responds to the SYN-ACK, the NF then starts replaying the
handshake for the remote server.
As of commit f640418, tcp_conn_track can intercept and respond to TCP SYNs from entering_network connections. However, the SYN-ACK sent by the NF is never received by the client. I think it might have to do with the fact that I don't recalculate the TCP checksum after modifying the packet.
TODO:
figure out why the SYN-ACK is not recieved
patch sequence numbers for entering_network connections
@twood02 My code is all in my fork of the ONVM repo.
My goal for this week was to extend my tcp_conn_track NF to allow it to proxy TCP handshakes. The NF will sit between a server on the local network and the outside world. When it receives a SYN packet for the server from the outside world, my NF will attempt to complete the handshake. If the client completes the handshake, my NF will then "replay" the handshake for the server it is protecting.
Each connection in tcp_conn_track is represented with an instance of
struct connection
. I started off by adding a flag to this struct namedentering_network
; a connection that was initiated from outside the local network will have this flag set to true. Packets forentering_network
connections are processed slightly differently than others:As of commit f640418, tcp_conn_track can intercept and respond to TCP SYNs from
entering_network
connections. However, the SYN-ACK sent by the NF is never received by the client. I think it might have to do with the fact that I don't recalculate the TCP checksum after modifying the packet.TODO:
entering_network
connections