CS 498 Lecture 13 Inside NetfilterInternet Protocol Implementation in LinuxData Structures in NetfilterData Structure - TableHow Data Structures are OrganizedData Structure - EntryThe ipt_entry StructData Structure - MatchData Structure - TargetSlide 10How to Implement a Network HookHooksnf_hook_opsNetfilter Hook Implementation Step 1Netfilter Hook Implementation Step 2Netfilter Hook Implementation Step 3From IP Stack to Hooksipt_do_tableA Generic HookHow to Implement a Netfilter MatchImplementing a Netfilter MatchData Structure in iptables.hSlide 23In libipt_xxx.cSlide 25The Netfilter Kernel ModuleThe psd Match ModuleThe psd Match Module (cont.)Port KnockingPort scanningSlide 31ExampleImplementationExample of ImplementationSlide 35Mapping with EncryptionBenefitsDisadvantagesCS 498 Lecture 13 Inside NetfilterJennifer HouDepartment of Computer Science University of Illinois at Urbana-ChampaignReading: Oskar Andreasson, Iptables Tutorial, http://iptables-tutorial.frozentux.net/ Rusty Russell and Harald Welta, Netfilter Hacking Howto , http://www.netfilter.org/documentation/index.htmlInternet Protocol Implementation in LinuxARPARPip_input.cip_input.cMULTICASTMULTICASTip_rcvip_forward.c ip_forward.c Higher LayersHigher Layersdev.cdev.cnet_rx_actionip_rcv_finishIP_PRE_ROUTINGIP_PRE_ROUTINGip_forwardip_forward_finiship_local_deliverIP_LOCAL_INPUTIP_LOCAL_INPUTip_mr_inputip_local_deliverIP_FORWARDIP_FORWARDip_output.cip_output.cip_finish_output2dev.cdev.cip_outputIP_POST_ROUTINGIP_POST_ROUTINGip_queue_xmit2IP_LOCAL_OUTPUTIP_LOCAL_OUTPUTip_queue_xmitip_finish_output. . .dev_queue_xmitARPneigh_resolve_outputROUTINGForwardingInformation Baseip_route_inputip_fragmentData Structures in NetfilterDefined in include/linux/netfilter_ipv4/ip_tables.hData Structure - Tablestruct ipt_table (ip_tables.h)Is a linked list to store all tablesDefines a table, e.g., 'nat','filter','mangle'Contains a struct ipt_table_info that stores the firewall rules in entriesA table is registerd using ipt_register_table (in init_module()) and unregistered by ipt_unregister_table (in cleanup_module())How Data Structures are Organizedipt_entrynexttargetipt_entrynexttargetipt_tableprivateipt_tableprivateipt_table_infoentriesipt_table_infoentriesipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetipt_entrynexttargetData Structure - Entrystruct ipt_entry containsA struct ipt_ip that contains the specification for the IP header that it is to matchAn nfcache bitfield that gives what parts of the packet the rule exams.A target_offset field that indicates the offset where the ipt_entry_target structure begins.A next_offset field that indicates the total size of this rule.A comefrom field that keeps track of packet traversal.A struct ipt_counter field that contains the packet/byte counters for packets that matched this rule.struct ipt_entry stores a variable number of ipt_entry_match after ipt_entry, and an ipt_entry_target after matchesThe ipt_entry Structipt_entrytarget_offsetnext_offsetelemsipt_entrytarget_offsetnext_offsetelemsipt_entry_matchmatchdataipt_entry_matchmatchdataipt_entry_matchmatchdataipt_entry_matchmatchdataipt_entry_targettargetdataipt_entry_targettargetdataipt_entrytarget_offsetnext_offsetelemsipt_entrytarget_offsetnext_offsetelemsipt_entry_matchmatchdataipt_entry_matchmatchdataipt_entry_matchmatchdataipt_entry_matchmatchdataipt_entry_targettargetdataipt_entry_targettargetdataOne or more matchesData Structure - Matchstruct ipt_entry_matchu.kernel.match : a pointer to a struct ipt_matchdata : the user-defined matchinfostruct ipt_matchlist is set to {NULL,NULL}name: the name of the match function, as referred to by userspacematch is a pointer to the match function; returns true if the packet matchesIf hotdrop is set to 1 and the return value is zero, the packet should be dropped immediately.checkentry is a pointer to a function that checks the specifications for a rule. If the function returns 0, the rule will not be accepted from the user.A user-defined match is registered by ipt_register_match and unregistered by ipt_unregister_matchData Structure - Targetstruct ipt_entry_targetu.kernel.target : a pointer to struct ipt_targetdata : user-defined targetinfostruct ipt_targetlist is set to {NULL,NULL}name: the name of the match function, as referred to by userspacetarget is a pointer to the target functiontakes the skb buffer, the hook number, the input and output device pointers, a pointer to the target area, and the position of the rule in the table. Returns IPT_CONTINUE to continue traversing, or a verdict (NF_DROP, NF_ACCEPT, NF_STOLEN, etc)Data Structure - Targetstruct ipt_target (cont’d)checkentry is a pointer to a function that checks the specifications for a rule; if the function returns 0, then the rule will not be accepted from the user.A user-defined target is registered by ipt_register_target and unregistered by ipt_unregister_targetHow to Implement a Network HookHooksNF_HOOK(int pf, unsigned int hook, struct sk_buff *skb, struct net_device *indev, struct net_device *outdev, int (*okfn)(struct sk_buff *)Defined as a macro NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ (list_empty(&nf_hooks[(pf)][(hook)]) ? (okfn)(skb): \ nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN)) Invoked in, for exmaple, ip_local_ deliver() in net/ipv4/ip_input.c:return NF_HOOK(PF_INET, NF_IP_LOCAL_IN, skb, skb->dev, NULL, ip_local_deliver_finish);nf_hook_opsstruct nf_hook_ops { struct list_head list; /* User fills in from here down. */ nf_hookfn *hook; struct module *owner; int pf; int hooknum; /* Hooks are ordered in ascending priority. */ int priority;}; Hooks are registered by calling nf_register_hook in the module_init functionsNetfilter Hook Implementation Step 1To implement a network filter, fill out the nf_hook_ops structure static struct nf_hook_ops simple_ops = { { NULL, NULL }, simple_hook, PF_INET, NF_IP_LOCAL_OUT, NF_IP_PRI_FILTER-1 };Netfilter Hook Implementation Step 2Write the hook function static unsigned int simple_hook(unsigned int hook, struct sk_buff **pskb, const struct net_device *indev, const struct net_device *outdev, int (*okfn)(struct sk_buff *)) { /* Get a handle to the packet data */ unsigned
View Full Document
Unlocking...