Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linux Netfilter Code Trace Part1: Iptable 周世中嚴長青.

Published byAntonia Harvey Modified over 9 years ago

Similar presentations

Presentation on theme: "Linux Netfilter Code Trace Part1: Iptable 周世中嚴長青."— Presentation transcript:

1 Linux Netfilter Code Trace Part1: Iptable 周世中嚴長青

2 Outline Hook IP Table Ipt_match Ipt_target

3 Outline Hook IP Table Ipt_match Ipt_target

4 Hooks Default hooks: –PRE_ROUTING –POST_ROUTING –FORWARD –LOCAL_IN –LOCAL_OUT

5 Hooks PREROUTE LOCAL_INLOCAL_OUT FORWARDPOSTROUTE

6 Hooks NF_HOOK(pf, hook, skb, indev, outdev, okfn) –pf: protocol family (PF_INET) –hook:the location of the hooks –skb: sk_buff(packet information) –indev: which device the packet come from –outdev: which device the packet go to –okfn: call the function if the packet is accepted

7 Hook – PRE_ROUTING NF_IP_PRE_ROUTING ip_input.c:441(ip_rcv) –NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL, ip_rcv_finish)

8 Hook – POST_ROUTING NF_IP_POST_ROUTING ip_output.c:190(ip_finish_output) –NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, dev, ip_finish_output2) Ip_output.c:232(ip_mc_output) –NF_HOOK(PF_INET, NF_IP_POST_ROUTING, newskb, NULL, newskb->dev, ip_dev_loopback_xmit)

9 Hook – POST_ROUTING ip_output.c:248(ip_mc_output) –NF_HOOK(PF_INET, NF_IP_POST_ROUTING, newskb, NULL, newskb->dev, ip_dev_loopback_xmit);

10 Hook – FORWARD NF_IP_FORWARD ip_forward.c:145(ip_forward) –NF_HOOK(PF_INET, NF_IP_FORWARD, skb, skb->dev, dev2, ip_forward_finish)

11 Hook – LOCAL_IN NF_IP_LOCAL_IN ip_input.c:305(ip_local_deliver) –NF_HOOK(PF_INET, NF_IP_LOCAL_IN, skb, skb->dev, NULL, ip_local_deliver_finish)

12 Hook – LOCAL_OUT NF_IP_LOCAL_OUT igmp.c:252 (igmp_send_report) –NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, output_maybe_reroute) ip_output.c:155 (ip_build_and_send_pkt) –NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, output_maybe_reroute)

13 Hook – Write a new hook Default a new hook value and modify NF_IP_NUMHOOKS in /include/linux/netfilter_ipv4.h Insert NF_HOOK into the appropriate place to call the hook

14 Outline Hook IP Table Ipt_match Ipt_target

15 IP table Hitches on hooks Separates into data and operations Contains all rules for each hooks Removing or adding a rule will rebuild the rule base Process the tables in priority on hooks

16 IP table IP Table ipt_entry …… IP Table Hook op packet ……

17 IP table(ipt_table) struct ipt_table –char name[] –struct ipt_replace *table; Seed table, used to product ipt_table_info –unsigned int valid_hooks; –rwlock_t lock; –struct ipt_table_info *private; The place to record rules

18 IP table(ipt_table) struct ipt_replace –char name[]; –unsigned int valid_hooks; –unsigned int num_entries; –unsigned int size; –unsigned int hook_entry[NF_IP_NUMHOOKS]; –unsigned int underflow[NF_IP_NUMHOOKS]; –unsigned int num_counters; –struct ipt_counters *counters; –struct ipt_entry entries[0]; Rules entrance for each HOOK Default rules for each HOOK

19 IP table(ipt_table_info) struct ipt_table_info –unsigned int size –unsigned int number Number of entries –unsigned int initial_entries Initial number of entries –unsigned int hook_entry[NF_IP_NUMHOOKS] –unsigned int underflow[NF_IP_NUMHOOKS] –char entries[0]

20 IP table(nf_hook_ops) struct nf_hook_ops –nf_hookfn *hook How to process the table on the hook –int pf Protocol family(e.g. PF_INET) –int hooknum; Hitches on which hook –int priority; Priority to process the table in the hook

21 IP table Default IP Tables: –Filter –Mangle –NAT

22 Write a new table Define a table –iptable_filter.c: 84 static struct ipt_table packet_filter = { { NULL, NULL }, "filter", &initial_table.repl, FILTER_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL, THIS_MODULE }; Define default ipt_replace –iptable_filter.c: 30

23 Write a new table Initialize –iptable_filter.c: 128 –Register table, its operations to the hook Finish –iptable_filter.c: 170 –Unregister table, operations, and clean datas

24 Outline Hook IP Table Ipt_match Ipt_target

25 Match A part of a rule Process a packet and determine whether it fulfill the condition of the rule Return 1 for true and 0 for false Match information: specification of the match in a IPT Entry

26 ipt_entryipt_entry_target ipt_entry_match ipt_match ipt_match *match The match function return unsigned int

27 Ipt_match struct ipt_match –const char name[]; –int (*match) (); Match function to match a packet –int (*checkentry)(); Check whether the parameter to the match is vaild –void (*destroy)(); Destroy the match information if necessary

28 Build-in match TCP match –source port, destination port, TCP flag UDP match –source port, destination port ICMP match –ICMP code

29 Match extensions ipt_ah.c: match for AH parameters ipt_esp.c: match for ESP parameters ipt_length.c: match for packet length ipt_limit.c: control the rate ipt_mac.c: match MAC address ipt_mark.c: match NFMASK ipt_multiport.c: match list of ports in TCP/UDP

30 Match extensions ipt_owner.c: match the owner of the socket ipt_state.c: match connection tracking information ipt_tcpmss.c: match TCP MSS(Maximum Segment Size) values ipt_tos.c: match TOS field ipt_ttl.c: match TTL field ipt_unclean.c: check a packet is valid strictly

31 Match example ipt_tos.c Define the ipt_match structure –struct ipt_match tos_match = { { NULL, NULL }, "tos", &match, &checkentry, NULL, THIS_MODULE }; Initialize: register match into iptable Finish: unregister the match

32 Match example Match –return (iph->tos == info->tos) ^ info->invert Checkentry –return matchsize == IPT_ALIGN(sizeof(struct ipt_tos_info))

33 Write a new match Define ipt_match Initialize: register match into iptable Finish: unregister the match Write match and checkentry function Write destroy function if necessary

34 Outline Hook IP Table Ipt_match Ipt_target

35 Target A part of a rule Process a packet and determine the packet verdict Return verdict or IPT_CONTINUE to continue the iptable Target information: specification of the match in a IPT Entry

36 ipt_entryipt_entry_target ipt_entry_match ipt_target ipt_taeget ipt_target *target The target function return 0 or a packet verdict

37 Ipt_target struct ipt_target –const char name[]; –int (*target) (); Target function to determine the verdict of a packet “Target=NULL” means the ipt_target is a standard target –int (*checkentry)(); Check whether the parameter to the target is vaild –void (*destroy)(); Destroy the target information if necessary

38 Standard target Target in structure ipt_target is NULL Following a verdict, e.g. NF_ACCEPT, NF_DROP

39 Target extensions ipt_LOG.c: logging packets ipt_MARK.c: set NFMARK in sk_buff ipt_MASQUERADE.c: masquerade ipt_MIRROR.c: invert the src and dst IP ipt_REDIRECT.c: alert dst IP to a local IP ipt_REJECT.c: reject packets(sending ICMP unreachable or TCP reset)

40 Target extensions ipt_MSS.c: set the TCP MSS field ipt_TOS.c: set the IP TOS field ipt_ULOG.c: send to user space daemon to log packets

41 Target example ipt_TOS.c Define the ipt_target structure –static struct ipt_target ipt_tos_reg = { { NULL, NULL }, "TOS", target, checkentry, NULL, THIS_MODULE }; Initialize: register target into iptable Finish: unregister the target

42 Target example Target –Change TOS to predefined value in target info –Recompute the IP checksum –Continue filtering Checkentry –Check size, table, and predefined value to TOS

43 Write a new target Define ipt_target Initialize: register target into iptable Finish: unregister the target Write target and checkentry function Write destroy function if necessary

44 Reference http://www.netfilter.org –IPTables-tutorial

Download ppt "Linux Netfilter Code Trace Part1: Iptable 周世中嚴長青."

Similar presentations

COMS W6998 Spring 2010 Erich Nahum

COMS W6998 Spring 2010 Erich Nahum
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
Ryu Book Chapter 1 Speaker: Chang, Cheng-Yu Date: 25/Nov./2014 1.

Ryu Book Chapter 1 Speaker: Chang, Cheng-Yu Date: 25/Nov./
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
ITINERANT: TCP Socket Migration Titus Winters Dan Berger CS 202: Spring ‘03.

ITINERANT: TCP Socket Migration Titus Winters Dan Berger CS 202: Spring ‘03.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.

Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
1 Netfilter in Linux Bing Qi Department of Computer Science and Engineering Auburn university.

1 Netfilter in Linux Bing Qi Department of Computer Science and Engineering Auburn university.
LİNUX-ROUTER-1 Gw1: 74.90.92.1 GW2: 95.111.62.129 ISP1 eth0 74.90.92.246 95.111.62.136 eth1 10.3.3.1/30 LİNUX-ROUTER-2 Gw1:192.168.198.2 Gw2:10.3.3.1 eth1.

LİNUX-ROUTER-1 Gw1: GW2: ISP1 eth eth /30 LİNUX-ROUTER-2 Gw1: Gw2: eth1.
Module 10. Internet Protocol (IP) is the routed protocol of the Internet. IP addressing enables packets to be routed from source to destination using.

Module 10. Internet Protocol (IP) is the routed protocol of the Internet. IP addressing enables packets to be routed from source to destination using.
Small Form Computing A bump in the wire. The questions ● What can we do with an inexpensive small computer? ● Can we make it a part of a seamless wireless.

Small Form Computing A bump in the wire. The questions ● What can we do with an inexpensive small computer? ● Can we make it a part of a seamless wireless.
Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao.

Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao.
1 Introduction to Raw Sockets 2 IP address Port address MAC address TCP/IP Stack 67 Bootp DHCP 176 2 OSPF 89 53 protocol frame type UDP Port # TCP Port.

1 Introduction to Raw Sockets 2 IP address Port address MAC address TCP/IP Stack 67 Bootp DHCP OSPF protocol frame type UDP Port # TCP Port.
COMS W4995-1 COMS W4995-1 Lecture 8. NAT, DHCP & Firewalls.

COMS W COMS W Lecture 8. NAT, DHCP & Firewalls.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Packet Filtering and Firewall

Packet Filtering and Firewall
By Deepthi Reddy Ramya Balakumar Vandana Bhardwaj Simple Packet Filtering Firewall.

By Deepthi Reddy Ramya Balakumar Vandana Bhardwaj Simple Packet Filtering Firewall.
Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache.

Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache.

Similar presentations

Ads by Google