firewall lab
Skip this Video
Download Presentation
Firewall Lab

Loading in 2 Seconds...

play fullscreen
1 / 31

Firewall Lab - PowerPoint PPT Presentation

  • Uploaded on

Firewall Lab. Zutao Zhu 02/05/2010. Outline. Preliminaries getopt LKM /proc filesystem Netfilter. Manual Page Package. apt-get install manpages-dev manpages-posix manpages-posix-dev. Header Files. /usr/include/linux /usr/src/linux-headers- 2.6.xx-yy/include/linux

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Firewall Lab' - barney

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
firewall lab

Firewall Lab

Zutao Zhu


  • Preliminaries
  • getopt
  • LKM
  • /proc filesystem
  • Netfilter
manual page package
Manual Page Package
  • apt-get install manpages-dev manpages-posix manpages-posix-dev
header files
Header Files
  • /usr/include/linux
  • /usr/src/linux-headers-2.6.xx-yy/include/linux
  • ip.h, icmp.h, tcp.h, skbuff.h, …
  • Find out the header files for a function by using man
byte order
Byte Order
  • Different kinds of computers use different conventions for the ordering of bytes within a word. Some computers put the most significant byte within a word first (this is called “big-endian” order), and others put it last (“little-endian” order).
byte order1
Byte Order
  • The Internet protocols specify a canonical byte order convention for data transmitted over the network. This is known as network byte order.
  • htonl – unsigned integerfrom host byte order to network byte order
  • htons – unsigned short from host byte order to network byte order
  • ntohl – unsigned integer from network byte order to host byte order
  • ntohs - unsigned short from network byte order to host byte order
vim hints
Vim hints
  • Use telnet or ssh to login to your ubuntu
  • Before paste, run command :set nocindent
  • header file
  • int getopt (int argc, char **argv, const char *options)
  • c = getopt (argc, argv, "abc:"))
    • An option character in this string can be followed by a colon (‘:’) to indicate that it takes a required argument.
  • optarg - point at the value of the option argument
  • Get long options
    • struct option long_options[]
    • c = getopt_long (argc, argv, "abc:d:f:", long_options, &option_index);
  • many elements of the kernel use /proc both to report information and to enable dynamic runtime configuration
  • A virtual file can present information from the kernel to the user and also serve as a means of sending information from the user to the kernel.
  • We can read from or write to a virtual file.
proc virtual filesystem
/proc virtual filesystem
  • Use “cat” to read, use “echo” to write, or by calling read()/write()
  • struct proc_dir_entry
    • proc_entry->read_proc = fortune_read;
    • proc_entry->write_proc = fortune_write;
  • create_proc_entry()
  • copy_from_user ()
  • remove_proc_entry()
loadable kernel modules
Loadable Kernel Modules
  • LKMs (when loaded) are very much part of the kernel.
  • How to insert: insmod
  • How to remove: rmmod
  • How to list: lsmod
  • How to check: modinfo
  • How to display output: dmesg
how lkm works
How LKM works?
  • insmod makes an init_module system call to load the LKM into kernel memory.
  • In init_module(), you can create device file or proc virtual file, setup the read or write function for the proc virtual file.
  • rmmodmakes an cleanup_module system call to do the cleanup work.
  • /usr/src/linux-2.6.31/kernel/module.c
how to write a lkm
How to write a LKM?
lkm example
LKM example
  • Hello world in lab pdf
  • The following slides are modified based on
our module s organization
Our module’s organization


The module’s ‘payload’



The module’s two required

administrative functions


the get info callback
The ‘get_info()’ callback
  • When an application-program (like ‘mycat’) tries to read our pseudo-file, the kernel will call our ‘get_info()’ function, passing it four function arguments -- and will expect it to return an integer value:

int get_info( char *buf, char **start, off_t off, int count, int *eof, void *data );

pointer to a kernel buffer

pointer (optional) to module’ own buffer

current file-pointer offset

size of space available in the kernel’s buffer

function should return the number of bytes it has written into its buffer

the sprintf function
The ‘sprintf()’ function
  • The kernel provides a function you module can call to print formatted text into a buffer
  • It resembles a standard C library-function:

int sprintf( char *dstn, const char *fmt, );

pointer to destination

formatting specification string

list of the argument-values to format

will return the number of characters that were printed to the destination-buffer

int len = sprintf( buf, “count = %d \n”, count );


register unregister
  • Your module-initialization function should ‘register’ the module’s ‘get_info()’ function:

create_proc_info_entry( modname, 0, NULL);

  • Your cleanup should do an ‘unregister’:

remove_proc_entry( modname, NULL );

the name for your proc file

the file-access attributes (0=default)

directory where file will reside (NULL=default)

function-pointer to your module’s ‘callback’ routine


file’s name

makefile for lkm
Makefile for LKM
  • obj-m += fortune.oall:       make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modulesclean:       make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
utilities for lkm
Utilities for LKM
  • modinfo simple-lkm.ko
  • dmesg | tail -10
    • Check the output of the module
  • NF_IP_LOCAL_IN [2]
netfilter does
Netfilter does
  • NF_ACCEPT: continue traversal as normal.
  • NF_DROP: drop the packet; don't continue traversal.
  • NF_STOLEN: I've taken over the packet; don't continue traversal.
  • NF_QUEUE: queue the packet (usually for userspace handling).
  • NF_REPEAT: call this hook again.
  • struct sk_buff in skbuff.h
  • struct nf_hook_ops in netfilter.h
  • typedef unsigned int nf_hookfn(

unsigned int hooknum,

struct sk_buff *skb,

const struct net_device *in,

const struct net_device *out,

int (*okfn)(struct sk_buff *));

  • Install kernel-source
    • apt-get install kernel-source
  • Extract kernel-source
    • tar -jxvf filename.tar.bz2
  • make oldconfig && make prepare && make modules_prepare
  • apt-get install build-essential linux-headers-`uname -r`