Upload
rohan-kataria
View
230
Download
0
Embed Size (px)
Citation preview
8/8/2019 Firewall Lab Session
1/31
Firewall Lab
Zutao Zhu
02/05/2010
8/8/2019 Firewall Lab Session
2/31
Outline
Preliminaries
getopt
LKM /proc filesystem
Netfilter
8/8/2019 Firewall Lab Session
3/31
Manual Page Package
apt-get install manpages-dev manpages-posix manpages-posix-dev
8/8/2019 Firewall Lab Session
4/31
Header Files
/usr/include/linux
/usr/src/linux-headers-2.6.xx-
yy/include/linux ip.h, icmp.h, tcp.h, skbuff.h,
Find out the header files for a function by
using man
8/8/2019 Firewall Lab Session
5/31
Byte Order
http://www.gnu.org/s/libc/manual/html_node/Byte-Order.html
Different kinds of computers use differentconventions for the ordering of byteswithin a word. Some computers put themost significant byte within a word first
(this is called big-endian order), andothers put it last (little-endian order).
8/8/2019 Firewall Lab Session
6/31
Byte Order
The Internet protocols specify a canonicalbyte order convention for data transmitted
over the network. This is known asnetwork byte order.
8/8/2019 Firewall Lab Session
7/31
Functions
htonl unsigned integerfrom host byteorderto network byte order
htons unsigned short from host byteorder to network byte order
ntohl unsigned integerfrom network byteorder to host byte order
ntohs - unsigned short from network byteorder to host byte order
8/8/2019 Firewall Lab Session
8/31
Vim hints
Use telnet or ssh to login to your ubuntu
Before paste, run command :set nocindent
8/8/2019 Firewall Lab Session
9/31
getopt
http://www.gnu.org/s/libc/manual/html_node/Getopt.html
header file
int getopt (int argc, char **argv, const char*options)
c = getopt (argc, argv, "abc:"))
An option character in this string can befollowed by a colon (:) to indicate that it takesa required argument.
8/8/2019 Firewall Lab Session
10/31
getopt
optarg - point at the value of the optionargument
Get long options struct option long_options[]
c = getopt_long (argc, argv, "abc:d:f:",long_options, &option_index);
8/8/2019 Firewall Lab Session
11/31
/proc
many elements of the kernel use /procboth to report information and to enabledynamic runtime configuration
A virtual file can present information fromthe kernel to the user and also serve as ameans of sending information from the
user to the kernel.
We can read from or write to a virtual file.
8/8/2019 Firewall Lab Session
12/31
/proc virtual filesystem
Use cat to read, use echo to write, orby calling read()/write()
struct proc_dir_entry proc_entry->read_proc = fortune_read;
proc_entry->write_proc = fortune_write;
create_proc_entry() copy_from_user ()
remove_proc_entry()
8/8/2019 Firewall Lab Session
13/31
Loadable Kernel Modules
LKMs (when loaded) are very much part ofthe kernel.
How to insert: insmod How to remove: rmmod
How to list: lsmod
How to check: modinfo How to display output: dmesg
8/8/2019 Firewall Lab Session
14/31
How LKM works?
insmod makes an init_module system callto load the LKM into kernel memory.
In init_module(), you can create device fileor proc virtual file, setup the read or writefunction for the proc virtual file.
rmmod makes an cleanup_modulesystem call to do the cleanup work.
/usr/src/linux-2.6.31/kernel/module.c
8/8/2019 Firewall Lab Session
15/31
How to write a LKM?
http://www.linuxforums.org/articles/introducing-lkm-programming-part-i_110.html
8/8/2019 Firewall Lab Session
16/31
LKM example
Hello world in lab pdf
http://tldp.org/HOWTO/Module-HO
WTO
/x839.html The following slides are modified based on
http://www.cs.usfca.edu/~cruse/cs635/lesson02.ppt
8/8/2019 Firewall Lab Session
17/31
Our modules organization
get_info
module_init
module_exit
The modules two requiredadministrative functions
The modules payloadfunction
8/8/2019 Firewall Lab Session
18/31
The get_info() callback
When an application-program (like mycat)tries to read our pseudo-file, the kernel willcall our get_info() function, passing it fourfunction arguments -- and will expect it toreturn an integer value:
int get_info( char *buf, char **start, off_t off, int count, int*eof, void *data );
pointer to a kernel buffer
current file-pointer offset
pointer (optional) to module own buffer
size of space available in the kernels buffer
function should return the number of bytes it has written into its buffer
8/8/2019 Firewall Lab Session
19/31
The sprintf() function
The kernel provides a function you modulecan call to print formatted text into a buffer
It resembles a standard C library-function:int sprintf( char *dstn, const char *fmt, );
pointer to destination
formatting specification string
list of the argument-values to format
will return the number of characters that were printed to the destination-buffer
int len = sprintf( buf, count = %d \n, count );Example:
8/8/2019 Firewall Lab Session
20/31
register/unregister
Your module-initialization function shouldregister the modules get_info() function:
create_proc_info_entry( modname, 0, NULL);
Your cleanup should do an unregister:remove_proc_entry( modname, NULL );
the name for your proc file
the file-access attributes (0=default)
directory where file will reside (NULL=default)
function-pointer to your modules callback routine
files name directory
8/8/2019 Firewall Lab Session
21/31
8/8/2019 Firewall Lab Session
22/31
Utilities for LKM
modinfo simple-lkm.ko
dmesg | tail -10
Check the output of the module http://tldp.org/HOWTO/Module-HOWTO/x146.html
8/8/2019 Firewall Lab Session
23/31
Netfilter
8/8/2019 Firewall Lab Session
24/31
Netfilter
NF_IP_PRE_ROUTING [1]
NF_IP_LOCAL_IN [2]
NF_IP_FORWARD [3] NF_IP_POST_ROUTING [4]
NF_IP_LOCAL_OUT [5]
http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html
8/8/2019 Firewall Lab Session
25/31
When to hook?
8/8/2019 Firewall Lab Session
26/31
8/8/2019 Firewall Lab Session
27/31
structure
struct sk_buff in skbuff.h
struct nf_hook_ops in netfilter.h
typedef unsigned int nf_hookfn(unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,const struct net_device *out,
int (*okfn)(struct sk_buff *));
8/8/2019 Firewall Lab Session
28/31
example
http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/
8/8/2019 Firewall Lab Session
29/31
Misc
Install kernel-source
apt-get install kernel-source
Extract kernel-source tar -jxvf filename.tar.bz2
make oldconfig && make prepare &&make modules_prepare
apt-get install build-essential linux-headers-`uname -r`
8/8/2019 Firewall Lab Session
30/31
Reference
http://www.gnu.org/s/libc/manual/html_node/Getopt.html
http://tldp.org/LDP/lkmpg/2.6/html/c708.html
http://www.ibm.com/developerworks/linux/library/l-proc.html
http://tldp.org/HOWTO/Module-HOWTO/
http://www.netfilter.org/documentation/index.html
http://vm.darkspace.org.uk/cgi-bin/viewcvs.cgi/*checkout*/uni_docs/fyp/References/netfilter.html#sec2
8/8/2019 Firewall Lab Session
31/31
Reference
http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/
http://www.paulkiddie.com/2009/10/creating-a-simple-hello-world-netfilter-module/