Capture all packages in kernel module with netfilter hooks after v4.13.x

Question

I have written a kernel module for my routers running OpenWrt to modify user-agent in all forwarded HTTP packages. It works well in kernel v4.9, but cannot capture packages which dest port is less than 1024 in kernel v4.14.63.

For kernel v4.14.63, I write nf_register_net_hook(&init_net, &nfho) instead of nf_register_hook(&nfho). The function also returns 0, but I can only capture packages which destination port is more than 1024. I guess it may be caused by wrongly used the new param *net. So I tried this:

for_each_net(n) nf_unregister_net_hook(n, &nfho);

When I type insmod xmurp-test, it gives me:

failed to insert /lib/modules/4.14.63/xmurp-test.ko

my test code is like this:

static struct nf_hook_ops nfho;

unsigned int hook_funcion(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
    register struct tcphdr *tcph;
    register struct iphdr *iph;

    // check if it is TCP package here
    if(skb == 0)
        return NF_ACCEPT;
    iph = ip_hdr(skb);
    if(iph->protocol != IPPROTO_TCP)
        return NF_ACCEPT;
    tcph = tcp_hdr(skb);

    // debug here
    printk("tcph->dest = %d", tcph->dest);
    if(tcph->dest != 80)
        return NF_ACCEPT;

    return NF_ACCEPT;
}

static int __init hook_init(void)
{
    int ret = 0;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,13,0)
    struct net *n;
#endif

    nfho.hook = hook_funcion;
    nfho.pf = NFPROTO_IPV4;
    nfho.hooknum = NF_INET_FORWARD;
    nfho.priority = NF_IP_PRI_MANGLE;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,13,0)
    for_each_net(n)
        ret += nf_register_net_hook(n, &nfho);
#else
    ret = nf_register_hook(&nfho);
#endif
    printk("xmurp-ua start\n");
    printk("nf_register_hook returnd %d\n", ret);

    return 0;
}

static void __exit hook_exit(void)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,13,0)
    struct net *n;
#endif

#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,13,0)
    for_each_net(n)
        nf_unregister_net_hook(n, &nfho);
#else
    nf_unregister_hook(&nfho);
#endif
    printk("xmurp-ua stop\n");
}

module_init(hook_init);
module_exit(hook_exit);

this is part of my kernel log: (dest port less than 1024 not found)

[ 1596.601063] tcph->dest = 15380
[ 1596.619027] tcph->dest = 2067
[ 1596.622388] tcph->dest = 14115
[ 1596.649652] tcph->dest = 47873
[ 1596.903875] tcph->dest = 1044
[ 1596.907796] tcph->dest = 20480
[ 1596.950417] tcph->dest = 20480
[ 1596.953985] tcph->dest = 1044
[ 1597.051657] tcph->dest = 20480
[ 1597.061290] tcph->dest = 29205
[ 1597.109917] tcph->dest = 1044
[ 1597.129058] tcph->dest = 20480
[ 1597.132366] tcph->dest = 1044
[ 1597.151498] tcph->dest = 20480
[ 1597.513850] tcph->dest = 1044
[ 1597.517715] tcph->dest = 20480
[ 1597.904445] tcph->dest = 1044
[ 1597.911922] tcph->dest = 20480
[ 1598.277374] tcph->dest = 1044
[ 1598.281972] tcph->dest = 20480
[ 1598.390774] tcph->dest = 47873
[ 1598.405492] tcph->dest = 14115
[ 1598.428335] tcph->dest = 11029
[ 1598.431651] tcph->dest = 11029
[ 1598.451623] tcph->dest = 14115
[ 1598.496708] tcph->dest = 2067
[ 1598.515683] tcph->dest = 47873
[ 1598.671040] tcph->dest = 1044
[ 1598.676368] tcph->dest = 20480
[ 1598.781044] tcph->dest = 20480
[ 1598.784667] tcph->dest = 1044
[ 1598.935491] tcph->dest = 1044
[ 1598.970062] tcph->dest = 20480
[ 1598.973473] tcph->dest = 1044
[ 1598.999175] tcph->dest = 20480
[ 1599.372445] tcph->dest = 1044
[ 1599.376848] tcph->dest = 20480
[ 1599.746570] tcph->dest = 1044
[ 1599.754935] tcph->dest = 20480
[ 1600.023671] tcph->dest = 47873
[ 1600.027202] tcph->dest = 32021
[ 1600.128045] tcph->dest = 1044

Answer 1

It comes out that the byte order is the key.

// wrong
printk("tcph->dest = %d", tcph->dest);
// right
printk("tcph->dest = %d", ntohs(tcph->dest));