Firewall lab
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

Firewall Lab PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on
  • Presentation posted in: General

Firewall Lab. Zutao Zhu 02/05/2010. Outline. Preliminaries getopt LKM /proc filesystem Netfilter. Manual Page Package. apt-get install manpages-dev manpages-posix manpages-posix-dev. Header Files. /usr/include/linux /usr/src/linux-headers- 2.6.xx-yy/include/linux

Download Presentation

Firewall Lab

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Firewall lab

Firewall Lab

Zutao Zhu

02/05/2010


Outline

Outline

  • Preliminaries

  • getopt

  • LKM

  • /proc filesystem

  • Netfilter


Manual page package

Manual Page Package

  • apt-get install manpages-dev manpages-posix manpages-posix-dev


Header files

Header Files

  • /usr/include/linux

  • /usr/src/linux-headers-2.6.xx-yy/include/linux

  • ip.h, icmp.h, tcp.h, skbuff.h, …

  • Find out the header files for a function by using man


Byte order

Byte Order

  • http://www.gnu.org/s/libc/manual/html_node/Byte-Order.html

  • Different kinds of computers use different conventions for the ordering of bytes within a word. Some computers put the most significant byte within a word first (this is called “big-endian” order), and others put it last (“little-endian” order).


Byte order1

Byte Order

  • The Internet protocols specify a canonical byte order convention for data transmitted over the network. This is known as network byte order.


Functions

Functions

  • htonl – unsigned integerfrom host byte order to network byte order

  • htons – unsigned short from host byte order to network byte order

  • ntohl – unsigned integer from network byte order to host byte order

  • ntohs - unsigned short from network byte order to host byte order


Vim hints

Vim hints

  • Use telnet or ssh to login to your ubuntu

  • Before paste, run command :set nocindent


Getopt

getopt

  • http://www.gnu.org/s/libc/manual/html_node/Getopt.html

  • header file <unistd.h>

  • int getopt (int argc, char **argv, const char *options)

  • c = getopt (argc, argv, "abc:"))

    • An option character in this string can be followed by a colon (‘:’) to indicate that it takes a required argument.


Getopt1

getopt

  • optarg - point at the value of the option argument

  • Get long options

    • struct option long_options[]

    • c = getopt_long (argc, argv, "abc:d:f:", long_options, &option_index);


Firewall lab

/proc

  • many elements of the kernel use /proc both to report information and to enable dynamic runtime configuration

  • A virtual file can present information from the kernel to the user and also serve as a means of sending information from the user to the kernel.

  • We can read from or write to a virtual file.


Proc virtual filesystem

/proc virtual filesystem

  • Use “cat” to read, use “echo” to write, or by calling read()/write()

  • struct proc_dir_entry

    • proc_entry->read_proc = fortune_read;

    • proc_entry->write_proc = fortune_write;

  • create_proc_entry()

  • copy_from_user ()

  • remove_proc_entry()


Loadable kernel modules

Loadable Kernel Modules

  • LKMs (when loaded) are very much part of the kernel.

  • How to insert: insmod

  • How to remove: rmmod

  • How to list: lsmod

  • How to check: modinfo

  • How to display output: dmesg


How lkm works

How LKM works?

  • insmod makes an init_module system call to load the LKM into kernel memory.

  • In init_module(), you can create device file or proc virtual file, setup the read or write function for the proc virtual file.

  • rmmodmakes an cleanup_module system call to do the cleanup work.

  • /usr/src/linux-2.6.31/kernel/module.c


How to write a lkm

How to write a LKM?

  • http://www.linuxforums.org/articles/introducing-lkm-programming-part-i_110.html


Lkm example

LKM example

  • Hello world in lab pdf

  • http://tldp.org/HOWTO/Module-HOWTO/x839.html

  • The following slides are modified based on http://www.cs.usfca.edu/~cruse/cs635/lesson02.ppt


Our module s organization

Our module’s organization

get_info

The module’s ‘payload’

function

module_init

The module’s two required

administrative functions

module_exit


The get info callback

The ‘get_info()’ callback

  • When an application-program (like ‘mycat’) tries to read our pseudo-file, the kernel will call our ‘get_info()’ function, passing it four function arguments -- and will expect it to return an integer value:

    int get_info( char *buf, char **start, off_t off, int count, int *eof, void *data );

pointer to a kernel buffer

pointer (optional) to module’ own buffer

current file-pointer offset

size of space available in the kernel’s buffer

function should return the number of bytes it has written into its buffer


The sprintf function

The ‘sprintf()’ function

  • The kernel provides a function you module can call to print formatted text into a buffer

  • It resembles a standard C library-function:

    int sprintf( char *dstn, const char *fmt, <arguments> );

pointer to destination

formatting specification string

list of the argument-values to format

will return the number of characters that were printed to the destination-buffer

int len = sprintf( buf, “count = %d \n”, count );

Example:


Register unregister

register/unregister

  • Your module-initialization function should ‘register’ the module’s ‘get_info()’ function:

    create_proc_info_entry( modname, 0, NULL);

  • Your cleanup should do an ‘unregister’:

    remove_proc_entry( modname, NULL );

the name for your proc file

the file-access attributes (0=default)

directory where file will reside (NULL=default)

function-pointer to your module’s ‘callback’ routine

directory

file’s name


Makefile for lkm

Makefile for LKM

  • obj-m += fortune.oall:       make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modulesclean:       make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean


Utilities for lkm

Utilities for LKM

  • modinfo simple-lkm.ko

  • dmesg | tail -10

    • Check the output of the module

  • http://tldp.org/HOWTO/Module-HOWTO/x146.html


Netfilter

Netfilter


Netfilter1

Netfilter

  • NF_IP_PRE_ROUTING [1]

  • NF_IP_LOCAL_IN [2]

  • NF_IP_FORWARD [3]

  • NF_IP_POST_ROUTING [4]

  • NF_IP_LOCAL_OUT [5]

  • http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html


When to hook

When to hook?


Netfilter does

Netfilter does

  • NF_ACCEPT: continue traversal as normal.

  • NF_DROP: drop the packet; don't continue traversal.

  • NF_STOLEN: I've taken over the packet; don't continue traversal.

  • NF_QUEUE: queue the packet (usually for userspace handling).

  • NF_REPEAT: call this hook again.


Structure

structure

  • struct sk_buff in skbuff.h

  • struct nf_hook_ops in netfilter.h

  • typedef unsigned int nf_hookfn(

    unsigned int hooknum,

    struct sk_buff *skb,

    const struct net_device *in,

    const struct net_device *out,

    int (*okfn)(struct sk_buff *));


Example

example

  • http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/


Firewall lab

Misc

  • Install kernel-source

    • apt-get install kernel-source

  • Extract kernel-source

    • tar -jxvf filename.tar.bz2

  • make oldconfig && make prepare && make modules_prepare

  • apt-get install build-essential linux-headers-`uname -r`


Reference

Reference

  • http://www.gnu.org/s/libc/manual/html_node/Getopt.html

  • http://tldp.org/LDP/lkmpg/2.6/html/c708.html

  • http://www.ibm.com/developerworks/linux/library/l-proc.html

  • http://tldp.org/HOWTO/Module-HOWTO/

  • http://www.netfilter.org/documentation/index.html

  • http://vm.darkspace.org.uk/cgi-bin/viewcvs.cgi/*checkout*/uni_docs/fyp/References/netfilter.html#sec2


Reference1

Reference

  • http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/

  • http://www.paulkiddie.com/2009/10/creating-a-simple-hello-world-netfilter-module/


  • Login