Hi,


I'm developing a proxy system for TCP handshakes. Essentially, it's a similar system to a TRAP server where SYN packets will be handled by a proxy server and once the handshake completes, the connection gets handed off to the actual server. In my implementation, I have a few extra functionalities I'm adding in which require me to notify a third party once a valid handshake ACK is received. However, I'm unable to find a way to verify an incoming ACK packet.


My initial implementation was using NFQueue and IPtables in user space, where I'll simply intercept ACK packets with the ESTABLISHED state (iptables --tcp-flags SYN,ACK,... ACK -m state --state ESTABLISHED) and queue them to one of the netfilter queues where I then ensure that they don't have a payload (therefore, confirming it is a handshake packet with ACK flag. Currently ignoring things like TCP Fast Open where the payload is included in the handshake ACK packet).


If IPtables can access the connection tracking tables, then that means it is possible from a netfilter kernel module. I'm just not sure how? I've got a general concept of how networking works in the Linux kernel but a bit clueless on the actual implementation. Any help?

I don’t have an answer for you, but what you’re describing sounds a lot like D. J. Bernstein‘s ucspi-tcp.

Why would you not use the SYNPROXY extension? (man iptables-extensions)

That will get you all the way to a valid ACK, from which you can handle everything else described I think.

Responding after almost five years. Yup! This is a learning exercise more than anything. Trying to learn the stack by implementing it myself.