1 / 31

Firewall Lab

Firewall Lab. Zutao Zhu 02/05/2010. Outline. Preliminaries getopt LKM /proc filesystem Netfilter. Manual Page Package. apt-get install manpages-dev manpages-posix manpages-posix-dev. Header Files. /usr/include/linux /usr/src/linux-headers- 2.6.xx-yy/include/linux

barney
Télécharger la présentation

Firewall Lab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewall Lab Zutao Zhu 02/05/2010

  2. Outline • Preliminaries • getopt • LKM • /proc filesystem • Netfilter

  3. Manual Page Package • apt-get install manpages-dev manpages-posix manpages-posix-dev

  4. Header Files • /usr/include/linux • /usr/src/linux-headers-2.6.xx-yy/include/linux • ip.h, icmp.h, tcp.h, skbuff.h, … • Find out the header files for a function by using man

  5. Byte Order • http://www.gnu.org/s/libc/manual/html_node/Byte-Order.html • Different kinds of computers use different conventions for the ordering of bytes within a word. Some computers put the most significant byte within a word first (this is called “big-endian” order), and others put it last (“little-endian” order).

  6. Byte Order • The Internet protocols specify a canonical byte order convention for data transmitted over the network. This is known as network byte order.

  7. Functions • htonl – unsigned integerfrom host byte order to network byte order • htons – unsigned short from host byte order to network byte order • ntohl – unsigned integer from network byte order to host byte order • ntohs - unsigned short from network byte order to host byte order

  8. Vim hints • Use telnet or ssh to login to your ubuntu • Before paste, run command :set nocindent

  9. getopt • http://www.gnu.org/s/libc/manual/html_node/Getopt.html • header file <unistd.h> • int getopt (int argc, char **argv, const char *options) • c = getopt (argc, argv, "abc:")) • An option character in this string can be followed by a colon (‘:’) to indicate that it takes a required argument.

  10. getopt • optarg - point at the value of the option argument • Get long options • struct option long_options[] • c = getopt_long (argc, argv, "abc:d:f:", long_options, &option_index);

  11. /proc • many elements of the kernel use /proc both to report information and to enable dynamic runtime configuration • A virtual file can present information from the kernel to the user and also serve as a means of sending information from the user to the kernel. • We can read from or write to a virtual file.

  12. /proc virtual filesystem • Use “cat” to read, use “echo” to write, or by calling read()/write() • struct proc_dir_entry • proc_entry->read_proc = fortune_read; • proc_entry->write_proc = fortune_write; • create_proc_entry() • copy_from_user () • remove_proc_entry()

  13. Loadable Kernel Modules • LKMs (when loaded) are very much part of the kernel. • How to insert: insmod • How to remove: rmmod • How to list: lsmod • How to check: modinfo • How to display output: dmesg

  14. How LKM works? • insmod makes an init_module system call to load the LKM into kernel memory. • In init_module(), you can create device file or proc virtual file, setup the read or write function for the proc virtual file. • rmmodmakes an cleanup_module system call to do the cleanup work. • /usr/src/linux-2.6.31/kernel/module.c

  15. How to write a LKM? • http://www.linuxforums.org/articles/introducing-lkm-programming-part-i_110.html

  16. LKM example • Hello world in lab pdf • http://tldp.org/HOWTO/Module-HOWTO/x839.html • The following slides are modified based on http://www.cs.usfca.edu/~cruse/cs635/lesson02.ppt

  17. Our module’s organization get_info The module’s ‘payload’ function module_init The module’s two required administrative functions module_exit

  18. The ‘get_info()’ callback • When an application-program (like ‘mycat’) tries to read our pseudo-file, the kernel will call our ‘get_info()’ function, passing it four function arguments -- and will expect it to return an integer value: int get_info( char *buf, char **start, off_t off, int count, int *eof, void *data ); pointer to a kernel buffer pointer (optional) to module’ own buffer current file-pointer offset size of space available in the kernel’s buffer function should return the number of bytes it has written into its buffer

  19. The ‘sprintf()’ function • The kernel provides a function you module can call to print formatted text into a buffer • It resembles a standard C library-function: int sprintf( char *dstn, const char *fmt, <arguments> ); pointer to destination formatting specification string list of the argument-values to format will return the number of characters that were printed to the destination-buffer int len = sprintf( buf, “count = %d \n”, count ); Example:

  20. register/unregister • Your module-initialization function should ‘register’ the module’s ‘get_info()’ function: create_proc_info_entry( modname, 0, NULL); • Your cleanup should do an ‘unregister’: remove_proc_entry( modname, NULL ); the name for your proc file the file-access attributes (0=default) directory where file will reside (NULL=default) function-pointer to your module’s ‘callback’ routine directory file’s name

  21. Makefile for LKM • obj-m += fortune.oall:       make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modulesclean:       make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

  22. Utilities for LKM • modinfo simple-lkm.ko • dmesg | tail -10 • Check the output of the module • http://tldp.org/HOWTO/Module-HOWTO/x146.html

  23. Netfilter

  24. Netfilter • NF_IP_PRE_ROUTING [1] • NF_IP_LOCAL_IN [2] • NF_IP_FORWARD [3] • NF_IP_POST_ROUTING [4] • NF_IP_LOCAL_OUT [5] • http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html

  25. When to hook?

  26. Netfilter does • NF_ACCEPT: continue traversal as normal. • NF_DROP: drop the packet; don't continue traversal. • NF_STOLEN: I've taken over the packet; don't continue traversal. • NF_QUEUE: queue the packet (usually for userspace handling). • NF_REPEAT: call this hook again.

  27. structure • struct sk_buff in skbuff.h • struct nf_hook_ops in netfilter.h • typedef unsigned int nf_hookfn( unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *));

  28. example • http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/

  29. Misc • Install kernel-source • apt-get install kernel-source • Extract kernel-source • tar -jxvf filename.tar.bz2 • make oldconfig && make prepare && make modules_prepare • apt-get install build-essential linux-headers-`uname -r`

  30. Reference • http://www.gnu.org/s/libc/manual/html_node/Getopt.html • http://tldp.org/LDP/lkmpg/2.6/html/c708.html • http://www.ibm.com/developerworks/linux/library/l-proc.html • http://tldp.org/HOWTO/Module-HOWTO/ • http://www.netfilter.org/documentation/index.html • http://vm.darkspace.org.uk/cgi-bin/viewcvs.cgi/*checkout*/uni_docs/fyp/References/netfilter.html#sec2

  31. Reference • http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/ • http://www.paulkiddie.com/2009/10/creating-a-simple-hello-world-netfilter-module/

More Related