1

In IP header there is a option 130 - specified in RFC 1108, it adds some security options for IP packet, like mandatory access control levels and categories. My task is to try to modify at least level (it starts at 3rd byte of option) only by Linux system utilities, like iptables. I tried to use MANGLE table, but didn't find proper actions. Developing module in C is too hard for me. Is there a way to do what i tried? Only by Linux system utilities and in kernel-space, because high performance is needed

UPD. I've eventually done it with two iptables modules - ipt-so and iptables-OVERWRITE, they can be found on Github.

ipt-so module adds ability to filter packets based on their 130 option values (and hence, mark them to modify afterwards)

OVERWRITE simply writes specified byte in packet at specified offset

That's not a proper way and it's very unstable. Also, I'm unsure about performance, but it's only possible way without implementing special module for netfilter.

kiyama
  • 11
  • 2
  • no way with iptables. It has a good matching feature (-m u32) but nothing equivalent for *writing* to a packet. nftables has better generic write support. It can overwrite, not add though. As for option 130 it's a joke today. A packet tells "I'm a top secret packet, believe me" and you're supposed to believe it. Nowadays you do this using for example IPSec. Else it requires no physical possible interception, insertion or alteration (such as what you're trying) to make some sense. – A.B Mar 05 '21 at 19:31
  • In closed local networks you can do it that way. Also, such way it is done in military networks :-) – kiyama Mar 12 '21 at 14:00
  • You could use eBPF to modify the IP packet. What do you try to achieve? what is the big picture? – Mircea Vutcovici Mar 12 '21 at 14:33

0 Answers0