Firewall Lab

Download Report

Transcript Firewall Lab

Firewall Lab
Zutao Zhu
02/05/2010
Outline
•
•
•
•
•
Preliminaries
getopt
LKM
/proc filesystem
Netfilter
Manual Page Package
• apt-get install manpages-dev manpagesposix manpages-posix-dev
Header Files
• /usr/include/linux
• /usr/src/linux-headers-2.6.xxyy/include/linux
• ip.h, icmp.h, tcp.h, skbuff.h, …
• Find out the header files for a function by
using man
Byte Order
• http://www.gnu.org/s/libc/manual/html_nod
e/Byte-Order.html
• Different kinds of computers use different
conventions for the ordering of bytes
within a word. Some computers put the
most significant byte within a word first
(this is called “big-endian” order), and
others put it last (“little-endian” order).
Byte Order
• The Internet protocols specify a canonical
byte order convention for data transmitted
over the network. This is known as
network byte order.
Functions
• htonl – unsigned integer from host byte
order to network byte order
• htons – unsigned short from host byte
order to network byte order
• ntohl – unsigned integer from network byte
order to host byte order
• ntohs - unsigned short from network byte
order to host byte order
Vim hints
• Use telnet or ssh to login to your ubuntu
• Before paste, run command :set nocindent
getopt
• http://www.gnu.org/s/libc/manual/html_nod
e/Getopt.html
• header file <unistd.h>
• int getopt (int argc, char **argv, const char
*options)
• c = getopt (argc, argv, "abc:"))
– An option character in this string can be
followed by a colon (‘:’) to indicate that it takes
a required argument.
getopt
• optarg - point at the value of the option
argument
• Get long options
– struct option long_options[]
– c = getopt_long (argc, argv, "abc:d:f:",
long_options, &option_index);
/proc
• many elements of the kernel use /proc
both to report information and to enable
dynamic runtime configuration
• A virtual file can present information from
the kernel to the user and also serve as a
means of sending information from the
user to the kernel.
• We can read from or write to a virtual file.
/proc virtual filesystem
• Use “cat” to read, use “echo” to write, or
by calling read()/write()
• struct proc_dir_entry
– proc_entry->read_proc = fortune_read;
– proc_entry->write_proc = fortune_write;
• create_proc_entry()
• copy_from_user ()
• remove_proc_entry()
Loadable Kernel Modules
• LKMs (when loaded) are very much part of
the kernel.
• How to insert: insmod
• How to remove: rmmod
• How to list: lsmod
• How to check: modinfo
• How to display output: dmesg
How LKM works?
• insmod makes an init_module system call
to load the LKM into kernel memory.
• In init_module(), you can create device file
or proc virtual file, setup the read or write
function for the proc virtual file.
• rmmod makes an cleanup_module
system call to do the cleanup work.
• /usr/src/linux-2.6.31/kernel/module.c
How to write a LKM?
• http://www.linuxforums.org/articles/introdu
cing-lkm-programming-part-i_110.html
LKM example
• Hello world in lab pdf
• http://tldp.org/HOWTO/ModuleHOWTO/x839.html
• The following slides are modified based on
http://www.cs.usfca.edu/~cruse/cs635/less
on02.ppt
Our module’s organization
The module’s ‘payload’
function
get_info
module_init
The module’s two required
administrative functions
module_exit
The ‘get_info()’ callback
• When an application-program (like ‘mycat’)
tries to read our pseudo-file, the kernel will
call our ‘get_info()’ function, passing it four
function arguments -- and will expect it to
return an integer value:
int get_info( char *buf, char **start, off_t off, int count, int
*eof, void *data );
pointer to a kernel buffer
pointer (optional) to module’ own buffer
current file-pointer offset
size of space available in the kernel’s buffer
function should return the number of bytes it has written into its buffer
The ‘sprintf()’ function
• The kernel provides a function you module
can call to print formatted text into a buffer
• It resembles a standard C library-function:
int sprintf( char *dstn, const char *fmt, <arguments> );
pointer to destination
formatting specification string
list of the argument-values to format
will return the number of characters that were printed to the destination-buffer
Example:
int len = sprintf( buf, “count = %d \n”, count );
register/unregister
• Your module-initialization function should
‘register’ the module’s ‘get_info()’ function:
create_proc_info_entry( modname, 0, NULL);
the name for your proc file
the file-access attributes (0=default)
directory where file will reside (NULL=default)
function-pointer to your module’s ‘callback’ routine
• Your cleanup should do an ‘unregister’:
remove_proc_entry( modname, NULL );
file’s name
directory
Makefile for LKM
• obj-m += fortune.o
all:
make -C /lib/modules/$(shell uname r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname r)/build M=$(PWD) clean
Utilities for LKM
• modinfo simple-lkm.ko
• dmesg | tail -10
– Check the output of the module
• http://tldp.org/HOWTO/ModuleHOWTO/x146.html
Netfilter
Netfilter
•
•
•
•
•
•
NF_IP_PRE_ROUTING [1]
NF_IP_LOCAL_IN [2]
NF_IP_FORWARD [3]
NF_IP_POST_ROUTING [4]
NF_IP_LOCAL_OUT [5]
http://www.netfilter.org/documentation/HO
WTO//netfilter-hacking-HOWTO-3.html
When to hook?
Netfilter does
•
•
•
•
•
NF_ACCEPT: continue traversal as
normal.
NF_DROP: drop the packet; don't
continue traversal.
NF_STOLEN: I've taken over the packet;
don't continue traversal.
NF_QUEUE: queue the packet (usually
for userspace handling).
NF_REPEAT: call this hook again.
structure
• struct sk_buff in skbuff.h
• struct nf_hook_ops in netfilter.h
• typedef unsigned int nf_hookfn(
unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *));
example
• http://www.paulkiddie.com/2009/11/creatin
g-a-netfilter-kernel-module-which-filtersudp-packets/
Misc
• Install kernel-source
– apt-get install kernel-source
• Extract kernel-source
– tar -jxvf filename.tar.bz2
• make oldconfig && make prepare &&
make modules_prepare
• apt-get install build-essential linuxheaders-`uname -r`
Reference
• http://www.gnu.org/s/libc/manual/html_node/Get
opt.html
• http://tldp.org/LDP/lkmpg/2.6/html/c708.html
• http://www.ibm.com/developerworks/linux/library/
l-proc.html
• http://tldp.org/HOWTO/Module-HOWTO/
• http://www.netfilter.org/documentation/index.html
• http://vm.darkspace.org.uk/cgibin/viewcvs.cgi/*checkout*/uni_docs/fyp/Referen
ces/netfilter.html#sec2
Reference
• http://www.paulkiddie.com/2009/11/creatin
g-a-netfilter-kernel-module-which-filtersudp-packets/
• http://www.paulkiddie.com/2009/10/creatin
g-a-simple-hello-world-netfilter-module/