Week 11: TCP connection replay

[mrdude]

@twood02
My code is all in my fork of the ONVM repo.

My goal for this week was to extend my tcp_conn_track NF to allow it to proxy TCP handshakes. The
NF will sit between a server on the local network and the outside world. When it receives a SYN
packet for the server from the outside world, my NF will attempt to complete the handshake.
If the client completes the handshake, my NF will then "replay" the handshake for the server it is
protecting.

Each connection in tcp_conn_track is represented with an instance of struct connection. I started
off by adding a flag to this struct named entering_network; a connection that was initiated from
outside the local network will have this flag set to true. Packets for entering_network connections are processed slightly differently than others:

• the NF will intercept the initial SYN packet and respond to it with a SYN-ACK
• (TODO) once the client responds to the SYN-ACK, the NF then starts replaying the
  handshake for the remote server.

As of commit f640418, tcp_conn_track can intercept and respond to TCP SYNs from entering_network connections. However, the SYN-ACK sent by the NF is never received by the client. I think it might have to do with the fact that I don't recalculate the TCP checksum after modifying the packet.

TODO:

• figure out why the SYN-ACK is not recieved
• patch sequence numbers for entering_network connections