locked
How to carry TTL over to injecting if intercepting on transport layer RRS feed

  • Question

  • I am currently intercepting ICMP packets on FWPS_LAYER_OUTBOUND_TRANSPORT_V4 layer. I capture all relevent information for sendargs i.e. remote ip address and scope id, I also copy the data in inMetaValues->controlData. (simplified code below)

     

    if(inFixedValues->layerId==FWPS_LAYER_OUTBOUND_TRANSPORT_V4)

    {

      // allocate SendArgs and populate it (non-paged pool)

      // clear memory

      m_SendArgs->remoteAddress= <remote address>

      m_SendArgs->remoteScopeId=inMetaValues->remoteScopeId;

      if(inMetaValues->controlDataLength)

      {

        // allocate space for controlData (non-paged pool)

        if(pLogEntry->m_LogInfo.m_Inject.m_SendArgs->controlData)

        {

          m_SendArgs->controlDataLength=inMetaValues->controlDataLength;

          RtlCopyMemory(m_SendArgs->controlData

                                 ,inMetaValues->controlData

                                 ,inMetaValues->controlDataLength);

         }

      }

    }

     

    I then inject this on a different thread (using DPC) after the request has been checked

     

    status = FwpsInjectTransportSendAsync0(gInjectionHandle

                                                                ,NULL

                                                                ,pInjectData->m_EndpointHandle

                                                                ,0

                                                                ,pInjectData->m_SendArgs

                                                                ,pInjectData->m_af

                                                                ,(COMPARTMENT_ID)pInjectData->m_CompartmentId

                                                                ,pInjectData->m_pNetBuffer

                                                                ,TransportInjectCompletion

                                                                ,pInjectData->m_SendArgs);

     

     

    The issue I have is that there is no way to carry the TTL forward between the packet intercepted and the packet injected. The NetBuffer that is sent to the inject transport send is positioned at the stat of the transport header NOT the ip header as in inbound injections. There are also no parameters in sendargs, that i am aware of, that can contain a TTL.

     

    The problem manifests itself as follows: tracert will return immediately if you intercept and just inject the packet immediately. This is due to the fact that the TTL is reset to the default (128) and the incremental values from 1 to whatever are lost.

     

     

    Friday, July 20, 2007 2:00 AM

Answers

  • I can confirm that this is a bug. Thank you for reporting it.

     

    The TTL value is supposedly be encoded in the controlData but in this particular case (i.e. tracert.exe traffic) we are indicating controlData as NULL. Hence the TTL info is lost.

     

    While we are investigating a solution, can you try workaround the problem by moving ICMP inspection to OUTBOUND_IPPACKET? At this layer the NBL begins with the IP header and you will have access to the entire packet. You can then cone-drop-reinject the packet back using FwpsInjectNetworkSendAsync0.

     

    Biao.W.

    Saturday, July 21, 2007 12:31 AM

All replies

  • I can confirm that this is a bug. Thank you for reporting it.

     

    The TTL value is supposedly be encoded in the controlData but in this particular case (i.e. tracert.exe traffic) we are indicating controlData as NULL. Hence the TTL info is lost.

     

    While we are investigating a solution, can you try workaround the problem by moving ICMP inspection to OUTBOUND_IPPACKET? At this layer the NBL begins with the IP header and you will have access to the entire packet. You can then cone-drop-reinject the packet back using FwpsInjectNetworkSendAsync0.

     

    Biao.W.

    Saturday, July 21, 2007 12:31 AM
  • Just a note that this bug will be fixed in Vista SP1 (and WS2008).

     

    Biao.W.

    Wednesday, August 15, 2007 5:36 AM