Hello,

I'm writing a NETFILTER module, it works at NF_IP_LOCAL_IN.
Its work is to capture the IP packets and deliver them back to the user
space.
What I do is:
Use skb_realloc_headroom() to make sure there is enough space for
another IP header, and meanwhile, make a copy of the original packet.
Add another IP header in the new packet, whose the source IP and dest IP
are both the local IP.
Deliver the new packet by ip_dev_loopback_xmit()(I copy this function
from the kernel).
Drop the original packets by returning NF_DROP.
(the module doesn't deliver TCP packets back to the user space for
debugging reason.)

I send ICMP packets by using ping to test the module, and I also write a
program in the user space to receive the delivered packets(with 2 IP
headers), and the program does receive them.
But the weird thing is that I cannot use TCPDUMP captured the delivered
packets.
Because I use ip_dev_loopback_xmit(), TCPDUMP should see the packets
once(in netif_receive_skb()).

If TCPDUMP listens to lo, it cannot get any packets.
debian:~/storage# tcpdump -i lo -w packets.pcap
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel

If it listens to every device, the number of captured packets and the
one received by filter are different. But I don't define any filter
rules here, and the captured packets are all TCP packets.
debian:~/storage# tcpdump -i any -w packets.pcap
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture
size 96 bytes
32 packets captured
38 packets received by filter
0 packets dropped by kernel

Since I don't define the filter rule, TCPDUMP should receive all packets
it can see.
Does anyone know what happens here?

Best,
Zheng Da