Iptables – Disable kernel processing of TCP packets for raw socket

iptablessockettcp

I'm working on a TCP/IP implementation, for an embedded device, that I want to test from a Linux user space process using raw sockets.

raw(7) says that

Raw sockets may tap all IP protocols in Linux, even protocols like ICMP or TCP which have a protocol module in the kernel. In this case, the packets are passed to both the kernel module and the raw socket(s).

I need to disable this kernel processing (at least on a specific destination port) in order to test my implementation. I think there's some manipulation involving iptables which can do this, but frankly I'm no Linux guru. I appreciate any help.

Best Answer

Kernel handles TCP handshake by default

Try to make a TCP connection

$ telnet localhost 8877
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

Here connection is refused by kernel directly.

To stop kernel handling TCP connections, you can add netfilter rules. Following command makes kernel ignore TCP packets coming to port 8877

sudo iptables -A INPUT -p tcp --destination-port 8877 -j DROP

Now try doing a TCP connection again

$ telnet localhost 8877
Trying 127.0.0.1...
^C (Killed by me as it gets stuck here)

Kernel does not do the TCP handshake now, and you should be able to implement TCP in userspace as you will still see the packets 1.

To cleanup the netfilter rule after you are done, use

sudo iptables -D INPUT -p tcp --destination-port 8877 -j DROP

Related Solutions

Linux – Sar: what does totsck stand for

There's also UNIX domain sockets (STREAM and DGRAM) that are accounted for in total number of sockets used by the system as it seems. UNIX domain sockets are referenced by processes as inodes in the file system. There's a lot of stuff that still uses UNIX domain sockets for various purposes so sar picks that up. Check that output of netstat -a to see how many UNIX domain sockets are open on your system.

fs.file-nr is the number of maximum file handles and while important has nothing to with what you are seeing there on the sar output.

Edit: Please consider that sar basically reads /proc/net/sockstat and makes an average over that count or reports historical values. It seems that /proc/net/sockstat gets the data from two places (kernel source for 2.6.27) and the locations are net/socket.c line: 2324 and net/ipv4/proc.c line 54 and following and the total number comes from the first locations while the rest is from the second. Going through the net structure also reveals what sockets are counted/accounted for and printed into the proc file system.

 79  * @SOCK_STREAM: stream (connection) socket
 80  * @SOCK_DGRAM: datagram (conn.less) socket>  
 81  * @SOCK_RAW: raw socket
 82  * @SOCK_RDM: reliably-delivered message>
 83  * @SOCK_SEQPACKET: sequential packet socket
 84  * @SOCK_DCCP: Datagram Congestion Control Protocol socket

Linux – Problems with multicasts in “iptables”

You added your rules AFTER the rules which LOG and DROP your traffic. Those rules should be the last rules in the table. Just rearrange the lines so that they appear last.

Best Answer

Related Solutions

Linux – Sar: what does totsck stand for

Linux – Problems with multicasts in “iptables”

Related Topic