NFTables extension querying HTTP response data after TCPHDR(SKB) unexpected
 

I'm running Debian 5.10.1 with a NFTables extension module. There are two functions in the module. 1) Extract the IP address from a DNS response packet. 2) Look for a valid HTTP response served by my Web server. Both functions are called from a NFTables output rule.

The first function works find but the second is having unexpected results. I get the iphdr from using ip_hdr(skb*) and the data in the iphdr looks good. The data after the iphdr looks good for a tcphdr. However the HTTP data which should be after the tcphdr is not correct.

Dumping skb->data I get this :-

4500047B529A40004006AB930A0B122A
0A0B12100050D98D241EF15862B67970
501801F53CBD00000000010000000100
00000000000000000000000000000000
01000000000000000200010000000000
000000000000000000E250C069BBFFFF
5304000000000000035D864C5BE58F5C
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000

The first 0x14 bytes are the iphdr and the next 0x14 bytes the tcphdr and validated in the tcpdump of the packet. However at 0x28 I would expect to see "HTTP/1.1 200 OK....." and I don't.

Any suggestions?

There's no Debian 5.10.1. There's Debian 5.0.10 released in March 2012. Then there's Debian 10.1 released in September 2019. So which one are you running? Although any of them would seem strange: 5.0.10 is ancient and unsupported, and the current Buster point release is 10.8.

If what you mean is the kernel version, buster has 4.19, while buster-backports, bullseye and sid are currently in sync, all of them having 5.10.13. Have you compiled your kernel yourself?

shruggy,

I'm running a kernel I compiled myself, the source was downloaded from www.kernel.org and at the time 5.10.1 was the latest stable version.

Bob