8/8/2019 Firewall Lab Session

1/31

Firewall Lab

Zutao Zhu

02/05/2010

8/8/2019 Firewall Lab Session

2/31

Outline

Preliminaries

getopt

LKM /proc filesystem

Netfilter

8/8/2019 Firewall Lab Session

3/31

Manual Page Package

apt-get install manpages-dev manpages-posix manpages-posix-dev

8/8/2019 Firewall Lab Session

4/31

Header Files

/usr/include/linux

/usr/src/linux-headers-2.6.xx-

yy/include/linux ip.h, icmp.h, tcp.h, skbuff.h,

Find out the header files for a function by

using man

8/8/2019 Firewall Lab Session

5/31

Byte Order

http://www.gnu.org/s/libc/manual/html_node/Byte-Order.html

Different kinds of computers use differentconventions for the ordering of byteswithin a word. Some computers put themost significant byte within a word first

(this is called big-endian order), andothers put it last (little-endian order).

8/8/2019 Firewall Lab Session

6/31

Byte Order

The Internet protocols specify a canonicalbyte order convention for data transmitted

over the network. This is known asnetwork byte order.

8/8/2019 Firewall Lab Session

7/31

Functions

htonl unsigned integerfrom host byteorderto network byte order

htons unsigned short from host byteorder to network byte order

ntohl unsigned integerfrom network byteorder to host byte order

ntohs - unsigned short from network byteorder to host byte order

8/8/2019 Firewall Lab Session

8/31

Vim hints

Use telnet or ssh to login to your ubuntu

Before paste, run command :set nocindent

8/8/2019 Firewall Lab Session

9/31

getopt

http://www.gnu.org/s/libc/manual/html_node/Getopt.html

header file

int getopt (int argc, char **argv, const char*options)

c = getopt (argc, argv, "abc:"))

An option character in this string can befollowed by a colon (:) to indicate that it takesa required argument.

8/8/2019 Firewall Lab Session

10/31

getopt

optarg - point at the value of the optionargument

Get long options struct option long_options[]

c = getopt_long (argc, argv, "abc:d:f:",long_options, &option_index);

8/8/2019 Firewall Lab Session

11/31

/proc

many elements of the kernel use /procboth to report information and to enabledynamic runtime configuration

A virtual file can present information fromthe kernel to the user and also serve as ameans of sending information from the

user to the kernel.

We can read from or write to a virtual file.

8/8/2019 Firewall Lab Session

12/31

/proc virtual filesystem

Use cat to read, use echo to write, orby calling read()/write()

struct proc_dir_entry proc_entry->read_proc = fortune_read;

proc_entry->write_proc = fortune_write;

create_proc_entry() copy_from_user ()

remove_proc_entry()

8/8/2019 Firewall Lab Session

13/31

Loadable Kernel Modules

LKMs (when loaded) are very much part ofthe kernel.

How to insert: insmod How to remove: rmmod

How to list: lsmod

How to check: modinfo How to display output: dmesg

8/8/2019 Firewall Lab Session

14/31

How LKM works?

insmod makes an init_module system callto load the LKM into kernel memory.

In init_module(), you can create device fileor proc virtual file, setup the read or writefunction for the proc virtual file.

rmmod makes an cleanup_modulesystem call to do the cleanup work.

/usr/src/linux-2.6.31/kernel/module.c

8/8/2019 Firewall Lab Session

15/31

How to write a LKM?

http://www.linuxforums.org/articles/introducing-lkm-programming-part-i_110.html

8/8/2019 Firewall Lab Session

16/31

LKM example

Hello world in lab pdf

http://tldp.org/HOWTO/Module-HO

WTO

/x839.html The following slides are modified based on

http://www.cs.usfca.edu/~cruse/cs635/lesson02.ppt

8/8/2019 Firewall Lab Session

17/31

Our modules organization

get_info

module_init

module_exit

The modules two requiredadministrative functions

The modules payloadfunction

8/8/2019 Firewall Lab Session

18/31

The get_info() callback

When an application-program (like mycat)tries to read our pseudo-file, the kernel willcall our get_info() function, passing it fourfunction arguments -- and will expect it toreturn an integer value:

int get_info( char *buf, char **start, off_t off, int count, int*eof, void *data );

pointer to a kernel buffer

current file-pointer offset

pointer (optional) to module own buffer

size of space available in the kernels buffer

function should return the number of bytes it has written into its buffer

8/8/2019 Firewall Lab Session

19/31

The sprintf() function

The kernel provides a function you modulecan call to print formatted text into a buffer

It resembles a standard C library-function:int sprintf( char *dstn, const char *fmt, );

pointer to destination

formatting specification string

list of the argument-values to format

will return the number of characters that were printed to the destination-buffer

int len = sprintf( buf, count = %d \n, count );Example:

8/8/2019 Firewall Lab Session

20/31

register/unregister

Your module-initialization function shouldregister the modules get_info() function:

create_proc_info_entry( modname, 0, NULL);

Your cleanup should do an unregister:remove_proc_entry( modname, NULL );

the name for your proc file

the file-access attributes (0=default)

directory where file will reside (NULL=default)

function-pointer to your modules callback routine

files name directory

8/8/2019 Firewall Lab Session

21/31

8/8/2019 Firewall Lab Session

22/31

Utilities for LKM

modinfo simple-lkm.ko

dmesg | tail -10

Check the output of the module http://tldp.org/HOWTO/Module-HOWTO/x146.html

8/8/2019 Firewall Lab Session

23/31

Netfilter

8/8/2019 Firewall Lab Session

24/31

Netfilter

NF_IP_PRE_ROUTING [1]

NF_IP_LOCAL_IN [2]

NF_IP_FORWARD [3] NF_IP_POST_ROUTING [4]

NF_IP_LOCAL_OUT [5]

http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html

8/8/2019 Firewall Lab Session

25/31

When to hook?

8/8/2019 Firewall Lab Session

26/31

8/8/2019 Firewall Lab Session

27/31

structure

struct sk_buff in skbuff.h

struct nf_hook_ops in netfilter.h

typedef unsigned int nf_hookfn(unsigned int hooknum,

struct sk_buff *skb,

const struct net_device *in,const struct net_device *out,

int (*okfn)(struct sk_buff *));

8/8/2019 Firewall Lab Session

28/31

example

http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/

8/8/2019 Firewall Lab Session

29/31

Misc

Install kernel-source

apt-get install kernel-source

Extract kernel-source tar -jxvf filename.tar.bz2

make oldconfig && make prepare &&make modules_prepare

apt-get install build-essential linux-headers-`uname -r`

8/8/2019 Firewall Lab Session

30/31

Reference

http://www.gnu.org/s/libc/manual/html_node/Getopt.html

http://tldp.org/LDP/lkmpg/2.6/html/c708.html

http://www.ibm.com/developerworks/linux/library/l-proc.html

http://tldp.org/HOWTO/Module-HOWTO/

http://www.netfilter.org/documentation/index.html

http://vm.darkspace.org.uk/cgi-bin/viewcvs.cgi/*checkout*/uni_docs/fyp/References/netfilter.html#sec2

8/8/2019 Firewall Lab Session

31/31

Reference

http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/

http://www.paulkiddie.com/2009/10/creating-a-simple-hello-world-netfilter-module/