linux netfilter code trace part1: iptable 周世中嚴長青
TRANSCRIPT
Linux Netfilter Code Trace
Part1: Iptable
周世中 嚴長青
Outline
• Hook
• IP Table
• Ipt_match
• Ipt_target
Outline
• Hook
• IP Table
• Ipt_match
• Ipt_target
Hooks
• Default hooks:– PRE_ROUTING– POST_ROUTING– FORWARD– LOCAL_IN– LOCAL_OUT
Hooks
PREROUTE
LOCAL_IN LOCAL_OUT
FORWARD POSTROUTE
Hooks
• NF_HOOK(pf, hook, skb, indev, outdev, okfn)– pf: protocol family (PF_INET)– hook:the location of the hooks– skb: sk_buff(packet information)– indev: which device the packet come from– outdev: which device the packet go to– okfn: call the function if the packet is accep
ted
Hook – PRE_ROUTING
• NF_IP_PRE_ROUTING
• ip_input.c:441(ip_rcv)– NF_HOOK(PF_INET, NF_IP_PRE_ROUTI
NG, skb, dev, NULL, ip_rcv_finish)
Hook – POST_ROUTING
• NF_IP_POST_ROUTING• ip_output.c:190(ip_finish_output)
– NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, dev, ip_finish_output2)
• Ip_output.c:232(ip_mc_output)– NF_HOOK(PF_INET, NF_IP_POST_ROU
TING, newskb, NULL, newskb->dev, ip_dev_loopback_xmit)
Hook – POST_ROUTING
• ip_output.c:248(ip_mc_output)– NF_HOOK(PF_INET, NF_IP_POST_ROU
TING, newskb, NULL, newskb->dev, ip_dev_loopback_xmit);
Hook – FORWARD
• NF_IP_FORWARD
• ip_forward.c:145(ip_forward)– NF_HOOK(PF_INET, NF_IP_FORWARD,
skb, skb->dev, dev2, ip_forward_finish)
Hook – LOCAL_IN
• NF_IP_LOCAL_IN
• ip_input.c:305(ip_local_deliver)– NF_HOOK(PF_INET, NF_IP_LOCAL_IN, s
kb, skb->dev, NULL, ip_local_deliver_finish)
Hook – LOCAL_OUT
• NF_IP_LOCAL_OUT• igmp.c:252 (igmp_send_report)
– NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, output_maybe_reroute)
• ip_output.c:155 (ip_build_and_send_pkt)– NF_HOOK(PF_INET, NF_IP_LOCAL_OUT,
skb, NULL, rt->u.dst.dev, output_maybe_reroute)
Hook – Write a new hook
• Default a new hook value and modify NF_IP_NUMHOOKS in /include/linux/netfilter_ipv4.h
• Insert NF_HOOK into the appropriate place to call the hook
Outline
• Hook
• IP Table
• Ipt_match
• Ipt_target
IP table
• Hitches on hooks
• Separates into data and operations
• Contains all rules for each hooks
• Removing or adding a rule will rebuild the rule base
• Process the tables in priority on hooks
IP table
IP Table
ipt_entry ……
IP Table IP Table
Hook
opopop op op op op op
opop op
packet packet
……
IP table(ipt_table)
• struct ipt_table– char name[]– struct ipt_replace *table;
• Seed table, used to product ipt_table_info
– unsigned int valid_hooks;– rwlock_t lock;– struct ipt_table_info *private;
• The place to record rules
IP table(ipt_table)
• struct ipt_replace– char name[];– unsigned int valid_hooks;– unsigned int num_entries;– unsigned int size;– unsigned int hook_entry[NF_IP_NUMHOOKS];– unsigned int underflow[NF_IP_NUMHOOKS];– unsigned int num_counters;– struct ipt_counters *counters;– struct ipt_entry entries[0];
Rules entrance for each HOOK
Default rules for each HOOK
IP table(ipt_table_info)
• struct ipt_table_info– unsigned int size– unsigned int number
• Number of entries
– unsigned int initial_entries• Initial number of entries
– unsigned int hook_entry[NF_IP_NUMHOOKS]– unsigned int underflow[NF_IP_NUMHOOKS]– char entries[0]
IP table(nf_hook_ops)
• struct nf_hook_ops– nf_hookfn *hook
• How to process the table on the hook
– int pf• Protocol family(e.g. PF_INET)
– int hooknum;• Hitches on which hook
– int priority;• Priority to process the table in the hook
IP table
• Default IP Tables:– Filter– Mangle– NAT
Write a new table
• Define a table– iptable_filter.c: 84
• static struct ipt_table packet_filter = { { NULL, NULL }, "filter", &initial_table.repl, FILTER_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL, THIS_MODULE };
• Define default ipt_replace– iptable_filter.c: 30
Write a new table
• Initialize– iptable_filter.c: 128– Register table, its operations to the hook
• Finish– iptable_filter.c: 170– Unregister table, operations, and clean dat
as
Outline
• Hook
• IP Table
• Ipt_match
• Ipt_target
Match
• A part of a rule
• Process a packet and determine whether it fulfill the condition of the rule
• Return 1 for true and 0 for false
• Match information: specification of the match in a IPT Entry
ipt_entry ipt_entry_target
ipt_entry_match
ipt_match ipt_match ipt_match ipt_match
ipt_match *match
The match functionreturn unsigned int
Ipt_match
• struct ipt_match– const char name[];– int (*match) ();
• Match function to match a packet
– int (*checkentry)();• Check whether the parameter to the match is v
aild
– void (*destroy)();• Destroy the match information if necessary
Build-in match
• TCP match– source port, destination port, TCP flag
• UDP match– source port, destination port
• ICMP match– ICMP code
Match extensions
• ipt_ah.c: match for AH parameters• ipt_esp.c: match for ESP parameters• ipt_length.c: match for packet length• ipt_limit.c: control the rate• ipt_mac.c: match MAC address• ipt_mark.c: match NFMASK• ipt_multiport.c: match list of ports in TCP/UDP
Match extensions
• ipt_owner.c: match the owner of the socket• ipt_state.c: match connection tracking informati
on• ipt_tcpmss.c: match TCP MSS(Maximum Seg
ment Size) values• ipt_tos.c: match TOS field• ipt_ttl.c: match TTL field• ipt_unclean.c: check a packet is valid strictly
Match example
• ipt_tos.c
• Define the ipt_match structure– struct ipt_match tos_match = { { NULL, NU
LL }, "tos", &match, &checkentry, NULL, THIS_MODULE };
• Initialize: register match into iptable
• Finish: unregister the match
Match example
• Match– return (iph->tos == info->tos) ^ info->invert
• Checkentry– return matchsize == IPT_ALIGN(sizeof(stru
ct ipt_tos_info))
Write a new match
• Define ipt_match
• Initialize: register match into iptable
• Finish: unregister the match
• Write match and checkentry function
• Write destroy function if necessary
Outline
• Hook
• IP Table
• Ipt_match
• Ipt_target
Target
• A part of a rule
• Process a packet and determine the packet verdict
• Return verdict or IPT_CONTINUE to continue the iptable
• Target information: specification of the match in a IPT Entry
ipt_entry ipt_entry_target
ipt_entry_match
ipt_target ipt_target ipt_target ipt_taeget
ipt_target *target
The target function
return 0 or a packet verdict
Ipt_target• struct ipt_target
– const char name[];– int (*target) ();
• Target function to determine the verdict of a packet
• “Target=NULL” means the ipt_target is a standard target
– int (*checkentry)();• Check whether the parameter to the target is vaild
– void (*destroy)();• Destroy the target information if necessary
Standard target
• Target in structure ipt_target is NULL
• Following a verdict, e.g. NF_ACCEPT, NF_DROP
Target extensions
• ipt_LOG.c: logging packets• ipt_MARK.c: set NFMARK in sk_buff• ipt_MASQUERADE.c: masquerade• ipt_MIRROR.c: invert the src and dst IP• ipt_REDIRECT.c: alert dst IP to a local I
P• ipt_REJECT.c: reject packets(sending I
CMP unreachable or TCP reset)
Target extensions
• ipt_MSS.c: set the TCP MSS field
• ipt_TOS.c: set the IP TOS field
• ipt_ULOG.c: send to user space daemon to log packets
Target example
• ipt_TOS.c
• Define the ipt_target structure– static struct ipt_target ipt_tos_reg = { { NUL
L, NULL }, "TOS", target, checkentry, NULL, THIS_MODULE };
• Initialize: register target into iptable
• Finish: unregister the target
Target example
• Target– Change TOS to predefined value in target i
nfo– Recompute the IP checksum– Continue filtering
• Checkentry– Check size, table, and predefined value to
TOS
Write a new target
• Define ipt_target
• Initialize: register target into iptable
• Finish: unregister the target
• Write target and checkentry function
• Write destroy function if necessary
