Firewall Lab Zutao Zhu 02/05/2010. Outline Preliminaries getopt LKM /proc filesystem Netfilter.
-
date post
21-Dec-2015 -
Category
Documents
-
view
219 -
download
0
Transcript of Firewall Lab Zutao Zhu 02/05/2010. Outline Preliminaries getopt LKM /proc filesystem Netfilter.
Header Files
• /usr/include/linux
• /usr/src/linux-headers-2.6.xx-yy/include/linux
• ip.h, icmp.h, tcp.h, skbuff.h, …
• Find out the header files for a function by using man
Byte Order
• http://www.gnu.org/s/libc/manual/html_node/Byte-Order.html
• Different kinds of computers use different conventions for the ordering of bytes within a word. Some computers put the most significant byte within a word first (this is called “big-endian” order), and others put it last (“little-endian” order).
Byte Order
• The Internet protocols specify a canonical byte order convention for data transmitted over the network. This is known as network byte order.
Functions
• htonl – unsigned integer from host byte order to network byte order
• htons – unsigned short from host byte order to network byte order
• ntohl – unsigned integer from network byte order to host byte order
• ntohs - unsigned short from network byte order to host byte order
getopt
• http://www.gnu.org/s/libc/manual/html_node/Getopt.html
• header file <unistd.h>• int getopt (int argc, char **argv, const char
*options) • c = getopt (argc, argv, "abc:"))
– An option character in this string can be followed by a colon (‘:’) to indicate that it takes a required argument.
getopt
• optarg - point at the value of the option argument
• Get long options– struct option long_options[] – c = getopt_long (argc, argv, "abc:d:f:",
long_options, &option_index);
/proc
• many elements of the kernel use /proc both to report information and to enable dynamic runtime configuration
• A virtual file can present information from the kernel to the user and also serve as a means of sending information from the user to the kernel.
• We can read from or write to a virtual file.
/proc virtual filesystem
• Use “cat” to read, use “echo” to write, or by calling read()/write()
• struct proc_dir_entry– proc_entry->read_proc = fortune_read; – proc_entry->write_proc = fortune_write;
• create_proc_entry()
• copy_from_user ()
• remove_proc_entry()
Loadable Kernel Modules
• LKMs (when loaded) are very much part of the kernel.
• How to insert: insmod
• How to remove: rmmod
• How to list: lsmod
• How to check: modinfo
• How to display output: dmesg
How LKM works?
• insmod makes an init_module system call to load the LKM into kernel memory.
• In init_module(), you can create device file or proc virtual file, setup the read or write function for the proc virtual file.
• rmmod makes an cleanup_module system call to do the cleanup work.
• /usr/src/linux-2.6.31/kernel/module.c
How to write a LKM?
• http://www.linuxforums.org/articles/introducing-lkm-programming-part-i_110.html
LKM example
• Hello world in lab pdf
• http://tldp.org/HOWTO/Module-HOWTO/x839.html
• The following slides are modified based on http://www.cs.usfca.edu/~cruse/cs635/lesson02.ppt
Our module’s organization
get_info
module_init
module_exit
The module’s two required administrative functions
The module’s ‘payload’ function
The ‘get_info()’ callback
• When an application-program (like ‘mycat’) tries to read our pseudo-file, the kernel will call our ‘get_info()’ function, passing it four function arguments -- and will expect it to return an integer value:
int get_info( char *buf, char **start, off_t off, int count, int *eof, void *data );
pointer to a kernel buffer
current file-pointer offset
pointer (optional) to module’ own buffer
size of space available in the kernel’s buffer function should return the number of bytes it has written into its buffer
The ‘sprintf()’ function
• The kernel provides a function you module can call to print formatted text into a buffer
• It resembles a standard C library-function:int sprintf( char *dstn, const char *fmt, <arguments> );
pointer to destination
formatting specification string
list of the argument-values to format
will return the number of characters that were printed to the destination-buffer
int len = sprintf( buf, “count = %d \n”, count );Example:
register/unregister
• Your module-initialization function should ‘register’ the module’s ‘get_info()’ function:
create_proc_info_entry( modname, 0, NULL);
• Your cleanup should do an ‘unregister’: remove_proc_entry( modname, NULL );
the name for your proc file
the file-access attributes (0=default)
directory where file will reside (NULL=default)
function-pointer to your module’s ‘callback’ routine
file’s name directory
Makefile for LKM
• obj-m += fortune.oall: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
Utilities for LKM
• modinfo simple-lkm.ko
• dmesg | tail -10– Check the output of the module
• http://tldp.org/HOWTO/Module-HOWTO/x146.html
Netfilter
• NF_IP_PRE_ROUTING [1]
• NF_IP_LOCAL_IN [2]
• NF_IP_FORWARD [3]
• NF_IP_POST_ROUTING [4]
• NF_IP_LOCAL_OUT [5]
• http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html
Netfilter does
• NF_ACCEPT: continue traversal as normal.
• NF_DROP: drop the packet; don't continue traversal.
• NF_STOLEN: I've taken over the packet; don't continue traversal.
• NF_QUEUE: queue the packet (usually for userspace handling).
• NF_REPEAT: call this hook again.
structure
• struct sk_buff in skbuff.h• struct nf_hook_ops in netfilter.h
• typedef unsigned int nf_hookfn( unsigned int hooknum,
struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *));
example
• http://www.paulkiddie.com/2009/11/creating-a-netfilter-kernel-module-which-filters-udp-packets/
Misc
• Install kernel-source– apt-get install kernel-source
• Extract kernel-source– tar -jxvf filename.tar.bz2
• make oldconfig && make prepare && make modules_prepare
• apt-get install build-essential linux-headers-`uname -r`
Reference
• http://www.gnu.org/s/libc/manual/html_node/Getopt.html
• http://tldp.org/LDP/lkmpg/2.6/html/c708.html• http://www.ibm.com/developerworks/linux/library/
l-proc.html• http://tldp.org/HOWTO/Module-HOWTO/• http://www.netfilter.org/documentation/index.html• http://vm.darkspace.org.uk/cgi-bin/viewcvs.cgi/*c
heckout*/uni_docs/fyp/References/netfilter.html#sec2