Firewall Lab

Zutao Zhu

02/05/2010

Outline

• Preliminaries

• getopt

• LKM

• /proc filesystem

• Netfilter

Manual Page Package

• apt-get install manpages-dev manpages-posix manpages-posix-dev

Header Files

• /usr/include/linux

• /usr/src/linux-headers-2.6.xx-yy/include/linux

• ip.h, icmp.h, tcp.h, skbuff.h, …

• Find out the header files for a function by using man

Byte Order

• http://www.gnu.org/s/libc/manual/html_node/Byte-Order.html

• Different kinds of computers use different conventions for the ordering of bytes within a word. Some computers put the most significant byte within a word first (this is called “big-endian” order), and others put it last (“little-endian” order).

Byte Order

• The Internet protocols specify a canonical byte order convention for data transmitted over the network. This is known as network byte order.

Functions

• htonl – unsigned integer from host byte order to network byte order

• htons – unsigned short from host byte order to network byte order

• ntohl – unsigned integer from network byte order to host byte order

• ntohs - unsigned short from network byte order to host byte order

Vim hints

• Use telnet or ssh to login to your ubuntu

• Before paste, run command :set nocindent

getopt

• http://www.gnu.org/s/libc/manual/html_node/Getopt.html

• header file <unistd.h>• int getopt (int argc, char **argv, const char

*options) • c = getopt (argc, argv, "abc:"))

– An option character in this string can be followed by a colon (‘:’) to indicate that it takes a required argument.

getopt

• optarg - point at the value of the option argument

• Get long options– struct option long_options[] – c = getopt_long (argc, argv, "abc:d:f:",

long_options, &option_index);

/proc

• many elements of the kernel use /proc both to report information and to enable dynamic runtime configuration

• A virtual file can present information from the kernel to the user and also serve as a means of sending information from the user to the kernel.

• We can read from or write to a virtual file.

/proc virtual filesystem

• Use “cat” to read, use “echo” to write, or by calling read()/write()

• struct proc_dir_entry– proc_entry->read_proc = fortune_read; – proc_entry->write_proc = fortune_write;

• create_proc_entry()

• copy_from_user ()

• remove_proc_entry()

Loadable Kernel Modules

• LKMs (when loaded) are very much part of the kernel.

• How to insert: insmod

• How to remove: rmmod

• How to list: lsmod

• How to check: modinfo

• How to display output: dmesg

How LKM works?

• insmod makes an init_module system call to load the LKM into kernel memory.

• In init_module(), you can create device file or proc virtual file, setup the read or write function for the proc virtual file.

• rmmod makes an cleanup_module system call to do the cleanup work.

• /usr/src/linux-2.6.31/kernel/module.c

How to write a LKM?

• http://www.linuxforums.org/articles/introducing-lkm-programming-part-i_110.html

LKM example

• Hello world in lab pdf

• http://tldp.org/HOWTO/Module-HOWTO/x839.html

• The following slides are modified based on http://www.cs.usfca.edu/~cruse/cs635/lesson02.ppt

Our module’s organization

get_info

module_init

module_exit

The module’s two required administrative functions

The module’s ‘payload’ function

The ‘get_info()’ callback

• When an application-program (like ‘mycat’) tries to read our pseudo-file, the kernel will call our ‘get_info()’ function, passing it four function arguments -- and will expect it to return an integer value:

int get_info( char *buf, char **start, off_t off, int count, int *eof, void *data );

pointer to a kernel buffer

current file-pointer offset

pointer (optional) to module’ own buffer

size of space available in the kernel’s buffer function should return the number of bytes it has written into its buffer

The ‘sprintf()’ function

• The kernel provides a function you module can call to print formatted text into a buffer

• It resembles a standard C library-function:int sprintf( char *dstn, const char *fmt, <arguments> );

pointer to destination

formatting specification string

list of the argument-values to format

will return the number of characters that were printed to the destination-buffer

int len = sprintf( buf, “count = %d \n”, count );Example:

register/unregister

• Your module-initialization function should ‘register’ the module’s ‘get_info()’ function:

create_proc_info_entry( modname, 0, NULL);

• Your cleanup should do an ‘unregister’: remove_proc_entry( modname, NULL );

the name for your proc file

the file-access attributes (0=default)

directory where file will reside (NULL=default)

function-pointer to your module’s ‘callback’ routine

file’s name directory

Makefile for LKM

• obj-m += fortune.oall:       make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:       make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Utilities for LKM

• modinfo simple-lkm.ko

• dmesg | tail -10– Check the output of the module

• http://tldp.org/HOWTO/Module-HOWTO/x146.html

Netfilter

Netfilter

• NF_IP_PRE_ROUTING [1]

• NF_IP_LOCAL_IN [2]

• NF_IP_FORWARD [3]

• NF_IP_POST_ROUTING [4]

• NF_IP_LOCAL_OUT [5]

• http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html

When to hook?

Netfilter does

• NF_ACCEPT: continue traversal as normal.

• NF_DROP: drop the packet; don't continue traversal.

• NF_STOLEN: I've taken over the packet; don't continue traversal.

• NF_QUEUE: queue the packet (usually for userspace handling).

• NF_REPEAT: call this hook again.

structure

• struct sk_buff in skbuff.h• struct nf_hook_ops in netfilter.h

• typedef unsigned int nf_hookfn( unsigned int hooknum,

struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *));

example

• http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/

Misc

• Install kernel-source– apt-get install kernel-source

• Extract kernel-source– tar -jxvf filename.tar.bz2

• make oldconfig && make prepare && make modules_prepare

• apt-get install build-essential linux-headers-`uname -r`

Reference

• http://www.gnu.org/s/libc/manual/html_node/Getopt.html

• http://tldp.org/LDP/lkmpg/2.6/html/c708.html• http://www.ibm.com/developerworks/linux/library/

l-proc.html• http://tldp.org/HOWTO/Module-HOWTO/• http://www.netfilter.org/documentation/index.html• http://vm.darkspace.org.uk/cgi-bin/viewcvs.cgi/*c

heckout*/uni_docs/fyp/References/netfilter.html#sec2

Reference

• http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/

• http://www.paulkiddie.com/2009/10/creating-a-simple-hello-world-netfilter-module/