firewall lab
DESCRIPTION
Firewall Lab. Zutao Zhu 02/05/2010. Outline. Preliminaries getopt LKM /proc filesystem Netfilter. Manual Page Package. apt-get install manpages-dev manpages-posix manpages-posix-dev . Header Files. /usr/include/linux /usr/src/linux-headers- 2.6.xx-yy/include/linux - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/1.jpg)
Firewall Lab
Zutao Zhu02/05/2010
![Page 2: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/2.jpg)
Outline
• Preliminaries• getopt• LKM• /proc filesystem• Netfilter
![Page 3: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/3.jpg)
Manual Page Package
• apt-get install manpages-dev manpages-posix manpages-posix-dev
![Page 4: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/4.jpg)
Header Files
• /usr/include/linux• /usr/src/linux-headers-2.6.xx-yy/include/
linux• ip.h, icmp.h, tcp.h, skbuff.h, …• Find out the header files for a function by
using man
![Page 5: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/5.jpg)
Byte Order
• http://www.gnu.org/s/libc/manual/html_node/Byte-Order.html
• Different kinds of computers use different conventions for the ordering of bytes within a word. Some computers put the most significant byte within a word first (this is called “big-endian” order), and others put it last (“little-endian” order).
![Page 6: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/6.jpg)
Byte Order
• The Internet protocols specify a canonical byte order convention for data transmitted over the network. This is known as network byte order.
![Page 7: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/7.jpg)
Functions
• htonl – unsigned integer from host byte order to network byte order
• htons – unsigned short from host byte order to network byte order
• ntohl – unsigned integer from network byte order to host byte order
• ntohs - unsigned short from network byte order to host byte order
![Page 8: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/8.jpg)
Vim hints
• Use telnet or ssh to login to your ubuntu• Before paste, run command :set nocindent
![Page 9: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/9.jpg)
getopt
• http://www.gnu.org/s/libc/manual/html_node/Getopt.html
• header file <unistd.h>• int getopt (int argc, char **argv, const char
*options) • c = getopt (argc, argv, "abc:"))
– An option character in this string can be followed by a colon (‘:’) to indicate that it takes a required argument.
![Page 10: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/10.jpg)
getopt
• optarg - point at the value of the option argument
• Get long options– struct option long_options[] – c = getopt_long (argc, argv, "abc:d:f:",
long_options, &option_index);
![Page 11: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/11.jpg)
/proc
• many elements of the kernel use /proc both to report information and to enable dynamic runtime configuration
• A virtual file can present information from the kernel to the user and also serve as a means of sending information from the user to the kernel.
• We can read from or write to a virtual file.
![Page 12: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/12.jpg)
/proc virtual filesystem
• Use “cat” to read, use “echo” to write, or by calling read()/write()
• struct proc_dir_entry– proc_entry->read_proc = fortune_read; – proc_entry->write_proc = fortune_write;
• create_proc_entry()• copy_from_user ()• remove_proc_entry()
![Page 13: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/13.jpg)
Loadable Kernel Modules
• LKMs (when loaded) are very much part of the kernel.
• How to insert: insmod• How to remove: rmmod• How to list: lsmod• How to check: modinfo• How to display output: dmesg
![Page 14: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/14.jpg)
How LKM works?
• insmod makes an init_module system call to load the LKM into kernel memory.
• In init_module(), you can create device file or proc virtual file, setup the read or write function for the proc virtual file.
• rmmod makes an cleanup_module system call to do the cleanup work.
• /usr/src/linux-2.6.31/kernel/module.c
![Page 15: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/15.jpg)
How to write a LKM?
• http://www.linuxforums.org/articles/introducing-lkm-programming-part-i_110.html
![Page 16: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/16.jpg)
LKM example
• Hello world in lab pdf• http://tldp.org/HOWTO/Module-HOWTO/x
839.html• The following slides are modified based on
http://www.cs.usfca.edu/~cruse/cs635/lesson02.ppt
![Page 17: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/17.jpg)
Our module’s organization
get_info
module_init
module_exit
The module’s two required administrative functions
The module’s ‘payload’ function
![Page 18: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/18.jpg)
The ‘get_info()’ callback
• When an application-program (like ‘mycat’) tries to read our pseudo-file, the kernel will call our ‘get_info()’ function, passing it four function arguments -- and will expect it to return an integer value:
int get_info( char *buf, char **start, off_t off, int count, int *eof, void *data );
pointer to a kernel buffer
current file-pointer offset
pointer (optional) to module’ own buffer
size of space available in the kernel’s buffer function should return the number of bytes it has written into its buffer
![Page 19: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/19.jpg)
The ‘sprintf()’ function
• The kernel provides a function you module can call to print formatted text into a buffer
• It resembles a standard C library-function:int sprintf( char *dstn, const char *fmt, <arguments> );
pointer to destination
formatting specification string
list of the argument-values to format
will return the number of characters that were printed to the destination-buffer
int len = sprintf( buf, “count = %d \n”, count );Example:
![Page 20: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/20.jpg)
register/unregister
• Your module-initialization function should ‘register’ the module’s ‘get_info()’ function:
create_proc_info_entry( modname, 0, NULL);
• Your cleanup should do an ‘unregister’: remove_proc_entry( modname, NULL );
the name for your proc file
the file-access attributes (0=default)
directory where file will reside (NULL=default)
function-pointer to your module’s ‘callback’ routine
file’s name directory
![Page 21: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/21.jpg)
Makefile for LKM
• obj-m += fortune.oall: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
![Page 22: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/22.jpg)
Utilities for LKM
• modinfo simple-lkm.ko • dmesg | tail -10
– Check the output of the module• http://tldp.org/HOWTO/Module-HOWTO/x
146.html
![Page 23: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/23.jpg)
Netfilter
![Page 24: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/24.jpg)
Netfilter
• NF_IP_PRE_ROUTING [1] • NF_IP_LOCAL_IN [2] • NF_IP_FORWARD [3] • NF_IP_POST_ROUTING [4] • NF_IP_LOCAL_OUT [5] • http://www.netfilter.org/documentation/
HOWTO//netfilter-hacking-HOWTO-3.html
![Page 25: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/25.jpg)
When to hook?
![Page 26: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/26.jpg)
Netfilter does
• NF_ACCEPT: continue traversal as normal.
• NF_DROP: drop the packet; don't continue traversal.
• NF_STOLEN: I've taken over the packet; don't continue traversal.
• NF_QUEUE: queue the packet (usually for userspace handling).
• NF_REPEAT: call this hook again.
![Page 27: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/27.jpg)
structure• struct sk_buff in skbuff.h• struct nf_hook_ops in netfilter.h
• typedef unsigned int nf_hookfn( unsigned int hooknum,
struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *));
![Page 28: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/28.jpg)
example
• http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/
![Page 29: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/29.jpg)
Misc
• Install kernel-source– apt-get install kernel-source
• Extract kernel-source– tar -jxvf filename.tar.bz2
• make oldconfig && make prepare && make modules_prepare
• apt-get install build-essential linux-headers-`uname -r`
![Page 30: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/30.jpg)
Reference• http://
www.gnu.org/s/libc/manual/html_node/Getopt.html
• http://tldp.org/LDP/lkmpg/2.6/html/c708.html• http://www.ibm.com/developerworks/linux/library/
l-proc.html• http://tldp.org/HOWTO/Module-HOWTO/• http://www.netfilter.org/documentation/index.html• http://vm.darkspace.org.uk/cgi-bin/viewcvs.cgi/*c
heckout*/uni_docs/fyp/References/netfilter.html#sec2
![Page 31: Firewall Lab](https://reader034.vdocuments.us/reader034/viewer/2022051020/56816005550346895dcf070f/html5/thumbnails/31.jpg)
Reference
• http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/
• http://www.paulkiddie.com/2009/10/creating-a-simple-hello-world-netfilter-module/