[ovs-discuss] Q: Using netfilter to classify packets in OVS ?

sougol gheissi sougol.gheissi at gmail.com
Tue Aug 29 14:32:24 UTC 2017


Hello,
I have tried to implement something like the above issue, I want to use
netfilter to capture UDP packets, modify them and then send them to the
OVS. As you said you tried it and it works. My problem is, I send SIP
packets to the OVS, but when I try to print the destination port, as it is
5060, I get 53, which is a DNS port. How did you do that?
Here is my code. Your help would be really appreciated.

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/netdevice.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>


static struct nf_hook_ops nfho;
struct iphdr *iph;
struct udphdr *udp_header;
struct sk_buff *sock_buff;
unsigned int sport, dport;

unsigned int hook_func(unsigned int hooknum,
                       struct sk_buff **skb,
                       const struct net_device *in,
                       const struct net_device *out,
                       int (*okfn)(struct sk_buff *))
{

    sock_buff = skb;

    if (!sock_buff) {
        return NF_ACCEPT;
    }

    iph = (struct iphdr *)ip_hdr(sock_buff);

    if (!sock_buff) {
        return NF_ACCEPT;
    }
    if (!iph)
    return NF_ACCEPT;

    if(iph->protocol==IPPROTO_UDP) {
    udp_header = (struct udphdr *)udp_hdr(sock_buff);
    printk(KERN_INFO "UDP PKT\n");
        sport = htons((unsigned short int) udp_header->source);
        dport = htons((unsigned short int) udp_header->dest);
    printk(KERN_INFO "UDP ports: source: %d, dest: %d \n", sport, dport);
    return NF_ACCEPT;
    }

    return NF_ACCEPT;

}

static int __init initialize(void) {
    nfho.hook = hook_func;
    nfho.hooknum = 0; // I use pre-routing hook to have the packets first
in the netfilter and then in the ovs
    nfho.pf = PF_INET;
    nfho.priority = NF_IP_PRI_FIRST;
    nf_register_hook(&nfho);
    printk(KERN_INFO "my netfilter module!\n");
    return 0;
}

static void __exit teardown(void) {
    nf_unregister_hook(&nfho);
}

module_init(initialize);
module_exit(teardown);

On Thu, Jul 13, 2017 at 1:08 AM, Jean Tourrilhes <jt at labs.hpe.com> wrote:

> On Wed, Jul 12, 2017 at 10:54:34AM -0700, Joe Stringer wrote:
> >
> > Hi Jean,
> >
> > There's no native integration, but I could imagine that if Netfilter
> > ran on the packets first then modified the skb mark field, then OVS
> > ran later on that packet then plausibly you could match on the
> > pkt_mark.
>
>         I tried it, and it works great.
>         Thanks a lot !
>
>         Jean
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20170829/8673770d/attachment-0001.html>


More information about the discuss mailing list