Using Netfilter to encapsulate and decapsulate IPv4 Packets

Question

I have two hooks in the netfilter framework.

One at NF_IP_PRE_ROUTING for incoming packets and other at NF_IP_LOCAL_OUT for outgoing packets.

Outgoing packets:

Now, all IPv4 Packets sent out from particular IP address, is encapsulated in another IPv4-UDP Packet.

I use pskb_expand_head API to have more headroom for encapsulation. And, then with ip_route_output_key to find the appropriate rtable. Using rtable, I reassign skb->dst and skb->dev. And, then I just go ahead and accept the packet using NF_ACCEPT.

skb_dst_drop(skb);
skb_dst_set(skb, &rt->dst);
skb->dev = skb_dst(skb)->dev;

Incoming packets:

Now, all Encapsulated Packets are received and are identified based on port number. And, the encapsulation (IP+UDP+XYZ HEADER) is pulled out. And similar to outgoing packet I use ip_route_output_key to get the rt(rtable).
Using rtable reassign skb->dst and skb->dev. And then i accept the packet with NF_ACCEPT

So, it happens that i also receive the defrags incoming packets, i am in bit of confusion how are they supposed to be dealt with.

I would want defrag packets to be queued and later receive the entire packet. Any ideas on that. I have been going through the functions available

ip_defrag(skb, IP_DEFRAG_LOCAL_DELIVER);

But this seems like to be used for assembling packets in NF_IP_LOCAL_IN stage, but the i want the assembled packet in NF_IP_PRE_ROUING stage.

Any help on this will be appreciated.

Answer 1

Set CONFIG_NF_DEFRAG_IPV4, which is defined in /net/ipv4/netfilter/Kconfig, its hooks ipv4_defrag_ops[] would sit at NF_INET_PRE_ROUTING and NF_INET_LOCAL_OUT. And your hooks should be of a priority larger than NF_IP_PRI_CONNTRACK_DEFRAG, therefore, your hooks are executed after ipv4_defrag_ops[], which would do assembly for you, at NF_IP_PRE_ROUING stage. After that, the skb goes to your hooks, should be a assembled packet.