firewall lab
Download
Skip this Video
Download Presentation
Firewall Lab

Loading in 2 Seconds...

play fullscreen
1 / 31

Firewall Lab - PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on

Firewall Lab. Zutao Zhu 02/05/2010. Outline. Preliminaries getopt LKM /proc filesystem Netfilter. Manual Page Package. apt-get install manpages-dev manpages-posix manpages-posix-dev. Header Files. /usr/include/linux /usr/src/linux-headers- 2.6.xx-yy/include/linux

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Firewall Lab' - barney


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
firewall lab

Firewall Lab

Zutao Zhu

02/05/2010

outline
Outline
  • Preliminaries
  • getopt
  • LKM
  • /proc filesystem
  • Netfilter
manual page package
Manual Page Package
  • apt-get install manpages-dev manpages-posix manpages-posix-dev
header files
Header Files
  • /usr/include/linux
  • /usr/src/linux-headers-2.6.xx-yy/include/linux
  • ip.h, icmp.h, tcp.h, skbuff.h, …
  • Find out the header files for a function by using man
byte order
Byte Order
  • http://www.gnu.org/s/libc/manual/html_node/Byte-Order.html
  • Different kinds of computers use different conventions for the ordering of bytes within a word. Some computers put the most significant byte within a word first (this is called “big-endian” order), and others put it last (“little-endian” order).
byte order1
Byte Order
  • The Internet protocols specify a canonical byte order convention for data transmitted over the network. This is known as network byte order.
functions
Functions
  • htonl – unsigned integerfrom host byte order to network byte order
  • htons – unsigned short from host byte order to network byte order
  • ntohl – unsigned integer from network byte order to host byte order
  • ntohs - unsigned short from network byte order to host byte order
vim hints
Vim hints
  • Use telnet or ssh to login to your ubuntu
  • Before paste, run command :set nocindent
getopt
getopt
  • http://www.gnu.org/s/libc/manual/html_node/Getopt.html
  • header file
  • int getopt (int argc, char **argv, const char *options)
  • c = getopt (argc, argv, "abc:"))
    • An option character in this string can be followed by a colon (‘:’) to indicate that it takes a required argument.
getopt1
getopt
  • optarg - point at the value of the option argument
  • Get long options
    • struct option long_options[]
    • c = getopt_long (argc, argv, "abc:d:f:", long_options, &option_index);
slide11
/proc
  • many elements of the kernel use /proc both to report information and to enable dynamic runtime configuration
  • A virtual file can present information from the kernel to the user and also serve as a means of sending information from the user to the kernel.
  • We can read from or write to a virtual file.
proc virtual filesystem
/proc virtual filesystem
  • Use “cat” to read, use “echo” to write, or by calling read()/write()
  • struct proc_dir_entry
    • proc_entry->read_proc = fortune_read;
    • proc_entry->write_proc = fortune_write;
  • create_proc_entry()
  • copy_from_user ()
  • remove_proc_entry()
loadable kernel modules
Loadable Kernel Modules
  • LKMs (when loaded) are very much part of the kernel.
  • How to insert: insmod
  • How to remove: rmmod
  • How to list: lsmod
  • How to check: modinfo
  • How to display output: dmesg
how lkm works
How LKM works?
  • insmod makes an init_module system call to load the LKM into kernel memory.
  • In init_module(), you can create device file or proc virtual file, setup the read or write function for the proc virtual file.
  • rmmodmakes an cleanup_module system call to do the cleanup work.
  • /usr/src/linux-2.6.31/kernel/module.c
how to write a lkm
How to write a LKM?
  • http://www.linuxforums.org/articles/introducing-lkm-programming-part-i_110.html
lkm example
LKM example
  • Hello world in lab pdf
  • http://tldp.org/HOWTO/Module-HOWTO/x839.html
  • The following slides are modified based on http://www.cs.usfca.edu/~cruse/cs635/lesson02.ppt
our module s organization
Our module’s organization

get_info

The module’s ‘payload’

function

module_init

The module’s two required

administrative functions

module_exit

the get info callback
The ‘get_info()’ callback
  • When an application-program (like ‘mycat’) tries to read our pseudo-file, the kernel will call our ‘get_info()’ function, passing it four function arguments -- and will expect it to return an integer value:

int get_info( char *buf, char **start, off_t off, int count, int *eof, void *data );

pointer to a kernel buffer

pointer (optional) to module’ own buffer

current file-pointer offset

size of space available in the kernel’s buffer

function should return the number of bytes it has written into its buffer

the sprintf function
The ‘sprintf()’ function
  • The kernel provides a function you module can call to print formatted text into a buffer
  • It resembles a standard C library-function:

int sprintf( char *dstn, const char *fmt, );

pointer to destination

formatting specification string

list of the argument-values to format

will return the number of characters that were printed to the destination-buffer

int len = sprintf( buf, “count = %d \n”, count );

Example:

register unregister
register/unregister
  • Your module-initialization function should ‘register’ the module’s ‘get_info()’ function:

create_proc_info_entry( modname, 0, NULL);

  • Your cleanup should do an ‘unregister’:

remove_proc_entry( modname, NULL );

the name for your proc file

the file-access attributes (0=default)

directory where file will reside (NULL=default)

function-pointer to your module’s ‘callback’ routine

directory

file’s name

makefile for lkm
Makefile for LKM
  • obj-m += fortune.oall:       make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modulesclean:       make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
utilities for lkm
Utilities for LKM
  • modinfo simple-lkm.ko
  • dmesg | tail -10
    • Check the output of the module
  • http://tldp.org/HOWTO/Module-HOWTO/x146.html
netfilter1
Netfilter
  • NF_IP_PRE_ROUTING [1]
  • NF_IP_LOCAL_IN [2]
  • NF_IP_FORWARD [3]
  • NF_IP_POST_ROUTING [4]
  • NF_IP_LOCAL_OUT [5]
  • http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html
netfilter does
Netfilter does
  • NF_ACCEPT: continue traversal as normal.
  • NF_DROP: drop the packet; don't continue traversal.
  • NF_STOLEN: I've taken over the packet; don't continue traversal.
  • NF_QUEUE: queue the packet (usually for userspace handling).
  • NF_REPEAT: call this hook again.
structure
structure
  • struct sk_buff in skbuff.h
  • struct nf_hook_ops in netfilter.h
  • typedef unsigned int nf_hookfn(

unsigned int hooknum,

struct sk_buff *skb,

const struct net_device *in,

const struct net_device *out,

int (*okfn)(struct sk_buff *));

example
example
  • http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/
slide29
Misc
  • Install kernel-source
    • apt-get install kernel-source
  • Extract kernel-source
    • tar -jxvf filename.tar.bz2
  • make oldconfig && make prepare && make modules_prepare
  • apt-get install build-essential linux-headers-`uname -r`
reference
Reference
  • http://www.gnu.org/s/libc/manual/html_node/Getopt.html
  • http://tldp.org/LDP/lkmpg/2.6/html/c708.html
  • http://www.ibm.com/developerworks/linux/library/l-proc.html
  • http://tldp.org/HOWTO/Module-HOWTO/
  • http://www.netfilter.org/documentation/index.html
  • http://vm.darkspace.org.uk/cgi-bin/viewcvs.cgi/*checkout*/uni_docs/fyp/References/netfilter.html#sec2
reference1
Reference
  • http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/
  • http://www.paulkiddie.com/2009/10/creating-a-simple-hello-world-netfilter-module/
ad