locked
WFP. TCP Proxy. RRS feed

  • Question

  • Hello everybody!

    I want to make simple TCP proxy, as simple as ddproxy from WDK.

    The first thing I've made is FWPM_LAYER_INBOUND_TRANSPORT_V4 filter.

    It works in transparent mode, so particular incoming packets go through the filter and i see this in DebugViewer (ClassifyFn -> Worker -> CloneModifyReinjectInbound).

    No packets are missed and no errors are found!

     

    Next step I tryied to do the same thing with FWPM_LAYER_OUTBOUND_TRANSPORT_V4.

    Probably the same scheme as for inbound way. But after all succesfull procedures, the outcoming traffic is gone(Wireshark silent). Still no errors.

    I think I've missed some thing.

    Also I wonder what layers should I filter to redirect, for example, HTTP traffic?

    If it needs some code to analyse I will put it on.

     

    Thank You in advance.

    Tuesday, September 28, 2010 9:33 AM

Answers

  • Solved.

    No problems with conditions, layers and missed packets.

    Now testing.

    Answer:

    Use FwpsInjectNetworkSendAsync0 instead of FwpsInjectTransportSendAsync0 for OUTBOUND_LAYER.

    In addition I used FwpsConstructIpHeaderForTransportPacket0 in OUTBOUND injection.

     

    Monday, October 11, 2010 8:09 PM

All replies

  • If you are doing this for Win7+, it is suggested you use teh FWPM_LAYER_ALE_CONNECT_REDIRECT_V{4/6}.  This will greatly simplify the proxy model for you.

    Have you tried debugging your code? Are you sending your traffic to a service on the local machine, which then sends out on the original apps behalf?  Or are you just modifying the headers to mask the original tuple info and sending straight out?

    Wireshark is likely implemented in NDIS, so you won't see the traffic until it leaves the IP stack, which means it wouldn't see the original tuple info, only the final.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, September 28, 2010 4:19 PM
    Moderator
  • Hi Dusty

    For Vista.

    Since then I solved the problem. My mistake was in the way I inject outbound packets.
    I used FwpsInjectNetworkSendAsync0 instead of FwpsInjectTransportSendAsync0.
    I added some more stuff from Metadata and changed inject function. Wooola - It worked! Ofcourse in transparent mode.

    For now I wonder how to make address and port replaces. And are 2 layers (transport inbound and transport outbound) enough to proxy whole TCP traffic?

    Wednesday, September 29, 2010 8:41 AM
  • Good to hear you got it working.  Yes Transport is adequate to Proxy all TCP traffic.  Replacing ports and addresses will require modifying the Transport header as well as the IP header.  In both cases you can use FwpsConstructIPHeaderForTransportPacket0.  This has the added benefit of calculating the checksums for you as well.

     

    Hope this helps

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, September 29, 2010 6:27 PM
    Moderator
  • Thanks for support. I asked my relative to start this thread here....

    I'm close to finish it, I guess.

    So now I having problems with ACK packet:

    1. Sending request to Server (TRANSPORT_OUTBOUND - modifing destination port) --- Ok

    2. Receiving SYN,ACK from Server (from modified port -- TRANSPORT_INBOUND_DISCARD hooks it but there I get error (status after calling FwpsConstructIpHeaderForTransportPacket0).

    ////classify
    //....
    
    packet->ipv4LocalAddr = RtlUlongByteSwap(inFixedValues->incomingValue[FWPS_FIELD_INBOUND_TRANSPORT_V4_IP_LOCAL_ADDRESS].value.uint32); packet->ipv4RemoteAddr = RtlUlongByteSwap(inFixedValues->incomingValue[FWPS_FIELD_INBOUND_TRANSPORT_V4_IP_REMOTE_ADDRESS].value.uint32); //..... ////classify ////inject //.... DbgPrint("ProxyCloneModifyReinjectInbound(): Source Address: %x", packet->ipv4LocalAddr); DbgPrint("ProxyCloneModifyReinjectInbound(): Destination Address: %x", packet->ipv4RemoteAddr); DbgPrint("ProxyCloneModifyReinjectInbound(): ipheadersize: %x", packet->ipHeaderSize); DbgPrint("ProxyCloneModifyReinjectInbound(): addressFamily: %x", packet->addressFamily); DbgPrint("ProxyCloneModifyReinjectInbound(): protocol: %x", packet->protocol); status = FwpsConstructIpHeaderForTransportPacket0( clonedNetBufferList, packet->ipHeaderSize, packet->addressFamily, &packet->ipv4LocalAddr, &packet->ipv4RemoteAddr, packet->protocol, 0, NULL, 0, 0, NULL, 0, 0 ); if (!NT_SUCCESS(status)) { DbgPrint("DD_proxy.c:DDProxyCloneModifyReinjectInbound IPHeader Not Success %x \n", status); goto Exit; } //... ///inject
    00000631	553.94250488	DD_proxy.c:DDProxyWorker INBOUND	
    00000632	553.94256592	DD_proxy.c:DDProxyCloneModifyReinjectInbound BEGIN	
    00000633	553.94262695	DD_proxy.c:DDProxyCloneModifyReinjectInbound netBufferList OK	
    00000634	553.94268799	DD_proxy.c:DDProxyCloneModifyReinjectInbound nblOffset not eq	
    00000635	553.94268799	DD_proxy.c:DDProxyCloneModifyReinjectInbound NDISRetreatNBDS OK	
    00000636	553.94274902	DD_proxy.c:DDProxyCloneModifyReinjectInbound NdisAdvNBDS 	
    00000637	553.94281006	ProxyCloneModifyReinjectInbound(): Source Port: 8080	
    00000638	553.94287109	ProxyCloneModifyReinjectInbound(): Destination Port: 49582	
    00000639	553.94293213	ProxyCloneModifyReinjectInbound(): Source Address: f02000a	
    00000640	553.94293213	ProxyCloneModifyReinjectInbound(): Destination Address: 112557c2	
    00000641	553.94305420	ProxyCloneModifyReinjectInbound(): ipheadersize: 14	
    00000642	553.94305420	ProxyCloneModifyReinjectInbound(): addressFamily: 2	
    00000643	553.94311523	ProxyCloneModifyReinjectInbound(): protocol: 6	
    00000644	553.94317627	DD_proxy.c:DDProxyCloneModifyReinjectInbound IPHeader Not Success c000000d 	
    00000645	553.94323730	DD_proxy.c:DDProxyCloneModifyReinjectInbound END

     

    For help I used this thread:

    http://social.msdn.microsoft.com/forums/en-US/wfp/thread/3ccb32da-c240-477b-bd28- ea584784bd48/

    Author had no problem with it, but I do.

    • Edited by AleksPolaris Wednesday, September 29, 2010 7:09 PM forgot to say who am I
    Wednesday, September 29, 2010 7:00 PM
  • what error are you receiving?
    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, September 30, 2010 6:00 PM
    Moderator
  • The NTSTATUS of FwpsConstructIPHeaderForTransportPacket0 is C000000D - STATUS_INVALID_PARAMETER

    It's not obvious to me what's wrong there, in parameters.

    DD_proxy.c:DDProxyCloneModifyReinjectInbound IPHeader Not Success c000000d
    Thursday, September 30, 2010 6:17 PM
  • Finished it! No errors anymore.

    But I reached same problem as in Yu Yeongjae Users Medals Users Medals Users Medals Users Medals Users Medals in http://social.msdn.microsoft.com/forums/en-US/wfp/thread/3ccb32da-c240-477b-bd28-ea584784bd48/  

    The OUTBOUND_TRANSPORT doesn't hook the ACK packet.

     

    No.     Time        Source                Destination           Protocol Info
         25 598.326684  10.0.2.15             ***.87.***.17          TCP      49186 > cbt [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1

    No.     Time        Source                Destination           Protocol Info
         26 598.332451  194.87.37.17          10.0.2.15             TCP      cbt > 49186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460

    No.     Time        Source                Destination           Protocol Info
         27 598.334618  10.0.2.15            
    *** 87. *** .17          TCP      49186 > http-alt [ACK] Seq=1 Ack=1 Win=64240 Len=0


    For now it should change only ports. IP address stays the same.

    Is there any solutions?

    Also as Yu Yeongjae Users Medals I found that if I remove PORT CONDITION - It works well.

    Friday, October 1, 2010 9:34 AM
  • In additional. I didn't try FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 filter to catch this ACK packet. May be it wil solve the problem?
    Saturday, October 2, 2010 4:54 PM
  • Solved.

    No problems with conditions, layers and missed packets.

    Now testing.

    Answer:

    Use FwpsInjectNetworkSendAsync0 instead of FwpsInjectTransportSendAsync0 for OUTBOUND_LAYER.

    In addition I used FwpsConstructIpHeaderForTransportPacket0 in OUTBOUND injection.

     

    Monday, October 11, 2010 8:09 PM
  • hello all!

     

    Please, can you give me some hints about the functions that you are using? which language are you using? is this a library or something else? i need to implement a TCP proxy that acknowledge localy the paquets by generating fake ACK and waits for the real ACK. the purpose is to improve TCP performance specifically the increase the TCP throughput by generating fast ACK. i don't how to do to implement this i have no clue so please i really need help on this project!

     

    thanks in advance!!


    Rad
    Friday, May 20, 2011 5:02 PM