如何在linux内核中丢弃tcp数据包但一次又一次地收不到?
我想更改linux内核代码来过滤一些tcp数据包并将其丢弃。
但我总是一次又一次地收到它。这是我在
/net/ipv4/tcp_ipv4.c中的代码
int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
{
// my code start
struct iphdr *iph;
iph = skb->nh.iph;
if(iph->ttl > 64) // I want to drop all tcp packet that meet this requirement
{
return 0;
}
// my code end
// start normal linux code
if(sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
...
}
I want to change the linux kernel code to filter some tcp packet and drop it.
But I always keep receiving it again and again. Here is my code in
/net/ipv4/tcp_ipv4.c
int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
{
// my code start
struct iphdr *iph;
iph = skb->nh.iph;
if(iph->ttl > 64) // I want to drop all tcp packet that meet this requirement
{
return 0;
}
// my code end
// start normal linux code
if(sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
...
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
正如@nos所说,TCP是可靠的,因此另一端会重传丢弃的数据包。您需要发送 RST 或 ICMP 错误(可能是主机无法访问,管理上禁止)来断开连接。
另外,请注意,您已经创建了内存泄漏,当您丢弃 skb 时,您有责任释放它们。
As @nos said, TCP is reliable, so the other end will retransmit the dropped packet. You would need to send a RST or an ICMP ERROR (probably host unreachable, administratively prohibited) to teardown the connection.
Also, note that you've created a memory leak, you're responsible for freeing skb's when you discard them.
iptables有一个ttl模块,可以通过ttl进行过滤:
There is a ttl module for iptables, which can filter by ttl:
如果您确实愿意,可以修改代码以发送数据包确认,但将其丢弃。我真的不推荐这个。
If you really wanted to, you could modify the code to send an acknowledgment for the packet, but instead drop it. I don't really recommend this.