Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jimit Mahadevia (jimit@elitecore.com) Nishit Shah (nishit@elitecore.com) This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported.

Published byErika Griffith Modified over 6 years ago

Similar presentations

Presentation on theme: "Jimit Mahadevia (jimit@elitecore.com) Nishit Shah (nishit@elitecore.com) This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported."— Presentation transcript:

1 Jimit Mahadevia (jimit@elitecore.com)
Nishit Shah This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License 1

2 Introduction Objective of this presentation is to give brief idea about how to write a Netfilter Hook function So, Get Ready…… 2

3 Topics covered Netfilter API to register & unregister hooking functions. Introduction of fields involved in registration. Step by step process of how to register a hook function. 3

4 Netfilter API To register a hooking function with Netfilter one has to use following function, nf_register_hook() (net/netfilter/core.c) To unregister a hooking function with Netfilter one has to use following function, nf_unregister_hook() 4

5 Fields Involved To register a hook function one has to call nf_register_hook with structure nf_hook_ops struct nf_hook_ops { nf_hookfn *hook; int pf; int hooknum; int priority; }; 5

6 Fields Involved hook – this is a pointer to callback function of kernel module. Netfilter will call callback function for registered kernel module through this pointer. pf – pf is a protocol family for which module is interested in. Some examples of protocol families are PF_INET, NF_ARP etc. 6

7 Fields Involved hooknum -
One of the 5 Netfilter Hook (i.e. PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, POST_ROUTING) at where kernel module wants to register priority Calling priority of this kernel module within hooknum specified. kernel modules are called in ascending priority. Thus kernel modules with lower priorities are called first. 7

8 How to register a hook function
Lets say we want to register a hook function in FORWARD between mangle module and filter module. So, going step by step…… Step 1 Of course you need a C file for it. Lets say we have C file called myfunc.c and simple editor like vi……. 8

9 How to register a hook function
Step 2 First include some of the standard header files in it myfunc.c #include <linux/module.h> #include <linux/kernel.h> #include <linux/ip.h> #include <linux/netfilter.h> #include <linux/netfilter_ipv4.h> 9

10 How to register a hook function
Step 3 Take a static global variable of struct nf_hook_ops myfunc.c /* This is the structure we shall use to register our function */ static struct nf_hook_ops my_fwd; 10

11 How to register a hook function
Step 4 Write a callback function, myfunc.c /* This is the hook function itself */ unsigned int my_hook(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *)) { printk(KERN_INFO “Hello I got the Packet\n”); return NF_ACCEPT; } 11

12 How to register a hook function
Step 5 Write __init and __exit functions for kernel module. When you load a kernel module, function passed in module_init macro is called. When you unload a kernel module, function passed in module_exit macro is called. 12

13 How to register a hook function
Step 5 Continued… myfunc.c static int __init init(void) { } static void __exit fini(void) module_init(init); module_exit(fini); 13

14 How to register a hook function
Step 6 Fill up my_fwd structure in init() function myfunc.c static int __init init(void) { my_fwd.hook = my_hook; my_fwd.hooknum = NF_IP_FORWARD; my_fwd.pf = PF_INET; my_fwd.priority = NF_IP_PRI_MANGLE + 10; } Here NF_IP_PRI_MANGLE is a predefined as (include/linux/netfilter_ipv4.h 14

15 How to register a hook function
Step 7 Register it. myfunc.c static int __init init(void) { my_fwd.hook = my_hook; my_fwd.hooknum = NF_IP_FORWARD; my_fwd.pf = PF_INET; my_fwd.priority = NF_IP_PRI_MANGLE + 10; nf_register_hook(&my_fwd); return 0; } 15

16 How to register a hook function
Step 8 Time to say Hurray……………… You have registered a hook function with Netfilter. Really ???? Actually you have completed the steps. When you load this module in kernel, init will be called and thus actual registration will take place. 16

17 How to register a hook function
Step 9 So what’s left ?? Unregistration of hooking function myfunc.c static void __exit fini(void) { nf_unregister_hook(&my_fwd); } 17

18 Notes Here you have registered your own kernel module as a hooking function with Netfilter at FORWARD hook between mangle module & filter module mangle module’s registration priority is NF_IP_PRI_MANGLE = -150 18

19 Notes filter module’s registration priority is NF_IP_PRI_FILTER = 0;
Thus if you register my_fwd with NF_IP_PRI_MANGLE + 10, it will placed between mangle & filter modules in FORWARD. Thus in FORWARD hook, Netfilter calls function in following order, mangle (ipt_route_hook) my_fwd (my_hook) filter (ipt_hook) 19

20 Notes Standard Priority Values NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_CONNTRACK_DEFRAG = -400, NF_IP_PRI_RAW = -300, NF_IP_PRI_SELINUX_FIRST = -225, NF_IP_PRI_CONNTRACK = -200, NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175, NF_IP_PRI_MANGLE = -150, NF_IP_PRI_NAT_DST = -100, NF_IP_PRI_BRIDGE_SABOTAGE_LOCAL_OUT = -50, NF_IP_PRI_FILTER = 0, NF_IP_PRI_NAT_SRC = 100, NF_IP_PRI_SELINUX_LAST = 225, NF_IP_PRI_CONNTRACK_HELPER = INT_MAX - 2, NF_IP_PRI_NAT_SEQ_ADJUST = INT_MAX - 1, NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, NF_IP_PRI_LAST = INT_MAX, 20

21 Questions ???? 21

22 Thank You 22

Download ppt "Jimit Mahadevia (jimit@elitecore.com) Nishit Shah (nishit@elitecore.com) This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported."

Similar presentations

Introduction to C++ An object-oriented language Unit - 01.

Introduction to C++ An object-oriented language Unit - 01.
DEVICE DRIVER VINOD KAMATH CS691X PROJECT WORK. Introduction How to write/install device drivers Systems, Kernel Programming Character, Block and Network.

DEVICE DRIVER VINOD KAMATH CS691X PROJECT WORK. Introduction How to write/install device drivers Systems, Kernel Programming Character, Block and Network.
Linux device-driver issues

Linux device-driver issues
Lecture for Lab 3, Exp1 of EE505 (Developing Device Driver) T.A. Chulmin Kim CoreLab. Mar, 11, 2011 [XenSchedulerPaper_Hotcloud-commits] r21 - /

Lecture for Lab 3, Exp1 of EE505 (Developing Device Driver) T.A. Chulmin Kim CoreLab. Mar, 11, 2011 [XenSchedulerPaper_Hotcloud-commits] r21 - /
Computer System Laboratory

Computer System Laboratory
COMS W6998 Spring 2010 Erich Nahum

COMS W6998 Spring 2010 Erich Nahum
USERSPACE I/O Reporter: R98922086 張凱富.

USERSPACE I/O Reporter: R 張凱富.
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.

R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
Win32 Programming Lesson 4: Classes and Structures.

Win32 Programming Lesson 4: Classes and Structures.
Building and Running Modules Sarah Diesburg COP 5641.

Building and Running Modules Sarah Diesburg COP 5641.
Building and Running Modules Linux Kernel Programming CIS 4930/COP 5641.

Building and Running Modules Linux Kernel Programming CIS 4930/COP 5641.
Chapter 7 Process Environment Chien-Chung Shen CIS, UD

Chapter 7 Process Environment Chien-Chung Shen CIS, UD
Lecture 1.2: Linux and networking Roei Ben-Harush 2015.

Lecture 1.2: Linux and networking Roei Ben-Harush 2015.
Linux Netfilter Code Trace Part1: Iptable 周世中嚴長青.

Linux Netfilter Code Trace Part1: Iptable 周世中嚴長青.
ITINERANT: TCP Socket Migration Titus Winters Dan Berger CS 202: Spring ‘03.

ITINERANT: TCP Socket Migration Titus Winters Dan Berger CS 202: Spring ‘03.
63 UQC152H3 Advanced OS Writing a Device Driver. 64 The SCULL Device Driver Simple Character Utility for Loading Localities 6 devices types –Scull-03.

63 UQC152H3 Advanced OS Writing a Device Driver. 64 The SCULL Device Driver Simple Character Utility for Loading Localities 6 devices types –Scull-03.
Packet Mangling for Fun & Profit A Brief Intro to Netfilter, User Mode Linux, and the Linux TCP/IP Stack.

Packet Mangling for Fun & Profit A Brief Intro to Netfilter, User Mode Linux, and the Linux TCP/IP Stack.
Firewall Lab Zutao Zhu 02/05/2010. Outline Preliminaries getopt LKM /proc filesystem Netfilter.

Firewall Lab Zutao Zhu 02/05/2010. Outline Preliminaries getopt LKM /proc filesystem Netfilter.
Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 9: Pass-by-Value.

Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 9: Pass-by-Value.
Overview scope - determines when an identifier can be referenced in a program storage class - determines the period of time during which that identifier.

Overview scope - determines when an identifier can be referenced in a program storage class - determines the period of time during which that identifier.

Similar presentations

Ads by Google