I'm trying to create a firewall in C as a linux kernel module. as part of the firewall, I've implemented a hook function which performs packets inspection inside the PRE_ROUTING hook point.
In the hook function I need to deduce the packet direction based on its source and destination networking devices.
Whenever I try to extract the source and destination devices, in the packet inspection function, a kernel panic occurs and the OS crashes, and I have no idea why (I've followed linux/netfilter.h strictly). I would more than appreciate any help!
The relevant part of the hook function is as below:
unsigned int inspect_packet(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
char *src_device;
char *dst_device;
src_device = state->in->name;
dst_device = state->in->name;
/* Deduce the packets direction by the networking devices direction */
if (src_device[5] == IN_DEVICE_NUM && dst_device[5] == OUT_DEVICE_NUM)
{
/* some code */
}
}
As you can see, I used (as in the header files) the state->in and state->out fields in order to extract the source and destination device of the packet.
Note: The kernel panic certainly occurs from the code above, the rest of the code is irrelevant.
Solution:
As found in the comments above, the mistake which was made is the assumption the destination device of the packet is already assigned when the hook function was called. The assumption is problematic because the hook function is registered in the PRE_ROUTING hook and therefore still has no destination networking device. In order to solve the problem, we can deduce the packet direction just from the source device.
Here is the fixed version of the code:
unsigned int inspect_packet(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
char *src_device;
src_device = state->in->name;
/* Deduce the packets direction just by the source networking device */
if (src_device[5] == IN_DEVICE_NUM)
{
/* some code */
}
}