Scribd
Upload
64 views31 pages

Firewall Lab Session

This document provides an outline for a firewall lab that involves using various Linux kernel tools and techniques including getopt, loadable kernel modules (LKMs), the /proc filesystem, and Netfilter. It describes preliminaries like installing header files and byte order functions. It also explains how to write and load LKMs, interface with /proc, and hook into the Netfilter framework. References are provided for further reading.

Uploaded by

Rohan Kataria
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
64 views31 pages

Firewall Lab Session

This document provides an outline for a firewall lab that involves using various Linux kernel tools and techniques including getopt, loadable kernel modules (LKMs), the /proc filesystem, and Netfilter. It describes preliminaries like installing header files and byte order functions. It also explains how to write and load LKMs, interface with /proc, and hook into the Netfilter framework. References are provided for further reading.

Uploaded by

Rohan Kataria
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 31

Firewall Lab

Zutao Zhu
02/05/2010
Outline
• Preliminaries
• getopt
• LKM
• /proc filesystem
• Netfilter
Manual Page Package
• apt-get install manpages-dev manpages-
posix manpages-posix-dev
Header Files
• /usr/include/linux
• /usr/src/linux-headers-2.6.xx-
yy/include/linux
• ip.h, icmp.h, tcp.h, skbuff.h, …
• Find out the header files for a function by
using man
Byte Order
• http://www.gnu.org/s/libc/manual/html_nod
e/Byte-Order.html
• Different kinds of computers use different
conventions for the ordering of bytes
within a word. Some computers put the
most significant byte within a word first
(this is called “big-endian” order), and
others put it last (“little-endian” order).
Byte Order
• The Internet protocols specify a canonical
byte order convention for data transmitted
over the network. This is known as
network byte order.
Functions
• htonl – unsigned integer from host byte
order to network byte order
• htons – unsigned short from host byte
order to network byte order
• ntohl – unsigned integer from network byte
order to host byte order
• ntohs - unsigned short from network byte
order to host byte order
Vim hints
• Use telnet or ssh to login to your ubuntu
• Before paste, run command :set nocindent
getopt
• http://
www.gnu.org/s/libc/manual/html_node/Get
opt.html
• header file <unistd.h>
• int getopt (int argc, char **argv, const char
*options)
• c = getopt (argc, argv, "abc:"))
– An option character in this string can be
followed by a colon (‘:’) to indicate that it takes
a required argument.
getopt
• optarg - point at the value of the option
argument
• Get long options
– struct option long_options[]
– c = getopt_long (argc, argv, "abc:d:f:",
long_options, &option_index);
/proc
• many elements of the kernel use /proc
both to report information and to enable
dynamic runtime configuration
• A virtual file can present information from
the kernel to the user and also serve as a
means of sending information from the
user to the kernel.
• We can read from or write to a virtual file.
/proc virtual filesystem
• Use “cat” to read, use “echo” to write, or
by calling read()/write()
• struct proc_dir_entry
– proc_entry->read_proc = fortune_read;
– proc_entry->write_proc = fortune_write;
• create_proc_entry()
• copy_from_user ()
• remove_proc_entry()
Loadable Kernel Modules
• LKMs (when loaded) are very much part of
the kernel.
• How to insert: insmod
• How to remove: rmmod
• How to list: lsmod
• How to check: modinfo
• How to display output: dmesg
How LKM works?
• insmod makes an init_module system call
to load the LKM into kernel memory.
• In init_module(), you can create device file
or proc virtual file, setup the read or write
function for the proc virtual file.
• rmmod makes an cleanup_module
system call to do the cleanup work.
• /usr/src/linux-2.6.31/kernel/module.c
How to write a LKM?
• http://www.linuxforums.org/articles/introdu
cing-lkm-programming-part-i_110.html
LKM example
• Hello world in lab pdf
• http://tldp.org/HOWTO/Module-HOWTO/x
839.html
• The following slides are modified based on
http://www.cs.usfca.edu/~cruse/cs635/less
on02.ppt
Our module’s organization

The module’s ‘payload’


function get_info

module_init
The module’s two required
administrative functions

module_exit
The ‘get_info()’ callback
• When an application-program (like ‘mycat’)
tries to read our pseudo-file, the kernel will
call our ‘get_info()’ function, passing it four
function arguments -- and will expect it to
return an integer value:
int get_info( char *buf, char **start, off_t off, int count, int
*eof, void *data );
pointer to a kernel buffer
pointer (optional) to module’ own buffer

current file-pointer offset


size of space available in the kernel’s buffer
function should return the number of bytes it has written into its buffer
The ‘sprintf()’ function
• The kernel provides a function you module
can call to print formatted text into a buffer
• It resembles a standard C library-function:
int sprintf( char *dstn, const char *fmt, <arguments> );

pointer to destination

formatting specification string

list of the argument-values to format

will return the number of characters that were printed to the destination-buffer

Example: int len = sprintf( buf, “count = %d \n”, count );


register/unregister
• Your module-initialization function should
‘register’ the module’s ‘get_info()’ function:
create_proc_info_entry( modname, 0, NULL);

the name for your proc file


the file-access attributes (0=default)
directory where file will reside (NULL=default)

function-pointer to your module’s ‘callback’ routine

• Your cleanup should do an ‘unregister’:


remove_proc_entry( modname, NULL );
file’s name directory
Makefile for LKM
• obj-m += fortune.o
all:
       make -C /lib/modules/$(shell uname
-r)/build M=$(PWD) modules

clean:
       make -C /lib/modules/$(shell uname
-r)/build M=$(PWD) clean
Utilities for LKM
• modinfo simple-lkm.ko
• dmesg | tail -10
– Check the output of the module
• http://tldp.org/HOWTO/Module-HOWTO/x
146.html
Netfilter
Netfilter
• NF_IP_PRE_ROUTING [1]
• NF_IP_LOCAL_IN [2]
• NF_IP_FORWARD [3]
• NF_IP_POST_ROUTING [4]
• NF_IP_LOCAL_OUT [5]
• http://www.netfilter.org/documentation/HO
WTO//netfilter-hacking-HOWTO-3.html
When to hook?
Netfilter does
• NF_ACCEPT: continue traversal as
normal.
• NF_DROP: drop the packet; don't
continue traversal.
• NF_STOLEN: I've taken over the packet;
don't continue traversal.
• NF_QUEUE: queue the packet (usually
for userspace handling).
• NF_REPEAT: call this hook again.
structure
• struct sk_buff in skbuff.h
• struct nf_hook_ops in netfilter.h

• typedef unsigned int nf_hookfn(


unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *));
example
• http://www.paulkiddie.com/2009/11/creatin
g-a-netfilter-kernel-module-which-filters-
udp-packets/
Misc
• Install kernel-source
– apt-get install kernel-source
• Extract kernel-source
– tar -jxvf filename.tar.bz2
• make oldconfig && make prepare &&
make modules_prepare
• apt-get install build-essential linux-
headers-`uname -r`
Reference
• http://
www.gnu.org/s/libc/manual/html_node/Getopt.ht
ml
• http://tldp.org/LDP/lkmpg/2.6/html/c708.html
• http://www.ibm.com/developerworks/linux/library/
l-proc.html
• http://tldp.org/HOWTO/Module-HOWTO/
• http://www.netfilter.org/documentation/index.html
• http://vm.darkspace.org.uk/cgi-bin/viewcvs.cgi/*c
heckout*/uni_docs/fyp/References/netfilter.html#
sec2
Reference
• http://www.paulkiddie.com/2009/11/creatin
g-a-netfilter-kernel-module-which-filters-
udp-packets/
• http://www.paulkiddie.com/2009/10/creatin
g-a-simple-hello-world-netfilter-module/

You might also like