Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall Lab Zutao Zhu 02/05/2010. Outline Preliminaries getopt LKM /proc filesystem Netfilter.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewall Lab Zutao Zhu 02/05/2010. Outline Preliminaries getopt LKM /proc filesystem Netfilter."— Presentation transcript:

1 Firewall Lab Zutao Zhu 02/05/2010

2 Outline Preliminaries getopt LKM /proc filesystem Netfilter

3 Manual Page Package apt-get install manpages-dev manpages- posix manpages-posix-dev

4 Header Files /usr/include/linux /usr/src/linux-headers-2.6.xx- yy/include/linux ip.h, icmp.h, tcp.h, skbuff.h, … Find out the header files for a function by using man

5 Byte Order http://www.gnu.org/s/libc/manual/html_nod e/Byte-Order.htmlhttp://www.gnu.org/s/libc/manual/html_nod e/Byte-Order.html Different kinds of computers use different conventions for the ordering of bytes within a word. Some computers put the most significant byte within a word first (this is called “big-endian” order), and others put it last (“little-endian” order).

6 Byte Order The Internet protocols specify a canonical byte order convention for data transmitted over the network. This is known as network byte order.

7 Functions htonl – unsigned integer from host byte order to network byte order htons – unsigned short from host byte order to network byte order ntohl – unsigned integer from network byte order to host byte order ntohs - unsigned short from network byte order to host byte order

8 Vim hints Use telnet or ssh to login to your ubuntu Before paste, run command :set nocindent

9 getopt http://www.gnu.org/s/libc/manual/html_nod e/Getopt.htmlhttp://www.gnu.org/s/libc/manual/html_nod e/Getopt.html header file int getopt (int argc, char **argv, const char *options) c = getopt (argc, argv, "abc:")) –An option character in this string can be followed by a colon (‘:’) to indicate that it takes a required argument.

10 getopt optarg - point at the value of the option argument Get long options –struct option long_options[] –c = getopt_long (argc, argv, "abc:d:f:", long_options, &option_index);

11 /proc many elements of the kernel use /proc both to report information and to enable dynamic runtime configuration A virtual file can present information from the kernel to the user and also serve as a means of sending information from the user to the kernel. We can read from or write to a virtual file.

12 /proc virtual filesystem Use “cat” to read, use “echo” to write, or by calling read()/write() struct proc_dir_entry –proc_entry->read_proc = fortune_read; –proc_entry->write_proc = fortune_write; create_proc_entry() copy_from_user () remove_proc_entry()

13 Loadable Kernel Modules LKMs (when loaded) are very much part of the kernel. How to insert: insmod How to remove: rmmod How to list: lsmod How to check: modinfo How to display output: dmesg

14 How LKM works? insmod makes an init_module system call to load the LKM into kernel memory. In init_module(), you can create device file or proc virtual file, setup the read or write function for the proc virtual file. rmmod makes an cleanup_module system call to do the cleanup work. /usr/src/linux-2.6.31/kernel/module.c

15 How to write a LKM? http://www.linuxforums.org/articles/introdu cing-lkm-programming-part-i_110.htmlhttp://www.linuxforums.org/articles/introdu cing-lkm-programming-part-i_110.html

16 LKM example Hello world in lab pdf http://tldp.org/HOWTO/Module- HOWTO/x839.htmlhttp://tldp.org/HOWTO/Module- HOWTO/x839.html The following slides are modified based on http://www.cs.usfca.edu/~cruse/cs635/less on02.ppt http://www.cs.usfca.edu/~cruse/cs635/less on02.ppt

17 Our module’s organization get_info module_init module_exit The module’s two required administrative functions The module’s ‘payload’ function

18 The ‘get_info()’ callback When an application-program (like ‘mycat’) tries to read our pseudo-file, the kernel will call our ‘get_info()’ function, passing it four function arguments -- and will expect it to return an integer value: int get_info( char *buf, char **start, off_t off, int count, int *eof, void *data ); pointer to a kernel buffer current file-pointer offset pointer (optional) to module’ own buffer size of space available in the kernel’s buffer function should return the number of bytes it has written into its buffer

19 The ‘sprintf()’ function The kernel provides a function you module can call to print formatted text into a buffer It resembles a standard C library-function: int sprintf( char *dstn, const char *fmt, ); pointer to destination formatting specification string list of the argument-values to format will return the number of characters that were printed to the destination-buffer int len = sprintf( buf, “count = %d \n”, count ); Example:

20 register/unregister Your module-initialization function should ‘register’ the module’s ‘get_info()’ function: create_proc_info_entry( modname, 0, NULL); Your cleanup should do an ‘unregister’: remove_proc_entry( modname, NULL ); the name for your proc file the file-access attributes (0=default) directory where file will reside (NULL=default) function-pointer to your module’s ‘callback’ routine file’s name directory

21 Makefile for LKM obj-m += fortune.o all: make -C /lib/modules/$(shell uname - r)/build M=$(PWD) modules clean: make -C /lib/modules/$(shell uname - r)/build M=$(PWD) clean

22 Utilities for LKM modinfo simple-lkm.ko dmesg | tail -10 –Check the output of the module http://tldp.org/HOWTO/Module- HOWTO/x146.htmlhttp://tldp.org/HOWTO/Module- HOWTO/x146.html

23 Netfilter

24 NF_IP_PRE_ROUTING [1] NF_IP_LOCAL_IN [2] NF_IP_FORWARD [3] NF_IP_POST_ROUTING [4] NF_IP_LOCAL_OUT [5] http://www.netfilter.org/documentation/HO WTO//netfilter-hacking-HOWTO-3.htmlhttp://www.netfilter.org/documentation/HO WTO//netfilter-hacking-HOWTO-3.html

25 When to hook?

26 Netfilter does NF_ACCEPT: continue traversal as normal. NF_DROP: drop the packet; don't continue traversal. NF_STOLEN: I've taken over the packet; don't continue traversal. NF_QUEUE: queue the packet (usually for userspace handling). NF_REPEAT: call this hook again.

27 structure struct sk_buff in skbuff.h struct nf_hook_ops in netfilter.h typedef unsigned int nf_hookfn( unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *));

28 example http://www.paulkiddie.com/2009/11/creatin g-a-netfilter-kernel-module-which-filters- udp-packets/http://www.paulkiddie.com/2009/11/creatin g-a-netfilter-kernel-module-which-filters- udp-packets/

29 Misc Install kernel-source –apt-get install kernel-source Extract kernel-source –tar -jxvf filename.tar.bz2 make oldconfig && make prepare && make modules_prepare apt-get install build-essential linux- headers-`uname -r`

30 Reference http://www.gnu.org/s/libc/manual/html_node/Get opt.htmlhttp://www.gnu.org/s/libc/manual/html_node/Get opt.html http://tldp.org/LDP/lkmpg/2.6/html/c708.html http://www.ibm.com/developerworks/linux/library/ l-proc.htmlhttp://www.ibm.com/developerworks/linux/library/ l-proc.html http://tldp.org/HOWTO/Module-HOWTO/ http://www.netfilter.org/documentation/index.html http://vm.darkspace.org.uk/cgi- bin/viewcvs.cgi/*checkout*/uni_docs/fyp/Referen ces/netfilter.html#sec2http://vm.darkspace.org.uk/cgi- bin/viewcvs.cgi/*checkout*/uni_docs/fyp/Referen ces/netfilter.html#sec2

31 Reference http://www.paulkiddie.com/2009/11/creatin g-a-netfilter-kernel-module-which-filters- udp-packets/http://www.paulkiddie.com/2009/11/creatin g-a-netfilter-kernel-module-which-filters- udp-packets/ http://www.paulkiddie.com/2009/10/creatin g-a-simple-hello-world-netfilter-module/http://www.paulkiddie.com/2009/10/creatin g-a-simple-hello-world-netfilter-module/

Download ppt "Firewall Lab Zutao Zhu 02/05/2010. Outline Preliminaries getopt LKM /proc filesystem Netfilter."

Similar presentations

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.
DEVICE DRIVER VINOD KAMATH CS691X PROJECT WORK. Introduction How to write/install device drivers Systems, Kernel Programming Character, Block and Network.

DEVICE DRIVER VINOD KAMATH CS691X PROJECT WORK. Introduction How to write/install device drivers Systems, Kernel Programming Character, Block and Network.
Linux device-driver issues

Linux device-driver issues
Computer System Laboratory

Computer System Laboratory
Click Router: Hands on Arvind Venkatesan. Acknowledgements Thanks Hema for beautifying the slides!

Click Router: Hands on Arvind Venkatesan. Acknowledgements Thanks Hema for beautifying the slides!
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.

R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
CS 450 Module R4. R4 Overview Due on March 11 th along with R3. R4 is a small yet critical part of the MPX system. In this module, you will add the functionality.

CS 450 Module R4. R4 Overview Due on March 11 th along with R3. R4 is a small yet critical part of the MPX system. In this module, you will add the functionality.
Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.

Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.
Chapter 7 Process Environment Chien-Chung Shen CIS, UD

Chapter 7 Process Environment Chien-Chung Shen CIS, UD
Dr A Sahu Dept of Comp Sc & Engg. IIT Guwahati. Kernel Module Writing/Registering to /proc FS Payload of kernel module Reading CMOS Data – Real Time CMOS.

Dr A Sahu Dept of Comp Sc & Engg. IIT Guwahati. Kernel Module Writing/Registering to /proc FS Payload of kernel module Reading CMOS Data – Real Time CMOS.
Lecture 1.2: Linux and networking Roei Ben-Harush 2015.

Lecture 1.2: Linux and networking Roei Ben-Harush 2015.
On working with LKMs Using Linux Kernel Modules to quickly export privileged kernel information to ordinary users.

On working with LKMs Using Linux Kernel Modules to quickly export privileged kernel information to ordinary users.
How to make a pseudo-file As a follow-up to our first lab, we examine the steps needed to create our own ‘/proc’ file.

How to make a pseudo-file As a follow-up to our first lab, we examine the steps needed to create our own ‘/proc’ file.
Packet Mangling for Fun & Profit A Brief Intro to Netfilter, User Mode Linux, and the Linux TCP/IP Stack.

Packet Mangling for Fun & Profit A Brief Intro to Netfilter, User Mode Linux, and the Linux TCP/IP Stack.
The ‘net_device’ structure A look at the main kernel-object concerned with a Linux system’s network interface controller.

The ‘net_device’ structure A look at the main kernel-object concerned with a Linux system’s network interface controller.
Rapid prototyping of LKMs Configuring our Linux systems for the quick creation and use of loadable kernel modules.

Rapid prototyping of LKMs Configuring our Linux systems for the quick creation and use of loadable kernel modules.
CS 635 Advanced Systems Programming Spring 2005 Professor Allan B. Cruse University of San Francisco.

CS 635 Advanced Systems Programming Spring 2005 Professor Allan B. Cruse University of San Francisco.
CS 635 Advanced Systems Programming Fall 2007 Professor Allan B. Cruse University of San Francisco.

CS 635 Advanced Systems Programming Fall 2007 Professor Allan B. Cruse University of San Francisco.
Looking at kernel objects How a character-mode Linux device driver can be useful in viewing a ‘net_device’ structure.

Looking at kernel objects How a character-mode Linux device driver can be useful in viewing a ‘net_device’ structure.
Dr A Sahu Dept of Comp Sc & Engg. IIT Guwahati. Writing/Registering to /proc Character Device Driver – Characteristics and functionality – Basic IO functions.

Dr A Sahu Dept of Comp Sc & Engg. IIT Guwahati. Writing/Registering to /proc Character Device Driver – Characteristics and functionality – Basic IO functions.

Similar presentations

Ads by Google