netfilter programming
DESCRIPTION
introduction on netfilter module module programmingTRANSCRIPT
Introduction to Kernel Development
Gopi Krishnan
Society for Electronic Transactions & Security
25.08.14 2Gopi Krishnan, Society for Electronic Transactions & Security
Kernel Module Development
● Adding feature to kernel
● Loading & Unloading a module on Linux
– Daemon Kmod
– Command insmod, rmmod, lsmod, modprobe
● Development
– Kernel headers
– Standard Libraries
● Application
– System level service
– Device driver
– Packet filtering & mangling
25.08.14 3Gopi Krishnan, Society for Electronic Transactions & Security
Preparing Development System
● Using kernel came with distribution
– Download and install package
● linux-headers-$(shell uname -r)-generic.{deb, rpm, ipk, tar}● Using customized kernel or different kernel version
– Install required build tools
● gcc, g++, make● libncurses5
– Download required kernel from http://www.kernel.org
– Deflate archive tar -xf linux-${version}.tar.gz
– Navigate to kernel source tree and issue make command
● cd linux-${version}● make menuconfig
25.08.14 4Gopi Krishnan, Society for Electronic Transactions & Security
hello_kernel.c
#include <linux/module.h>
int init_module (void) { printk ("Hello!"); return 0;}
void cleanup_module (void) { printk ("Goodbye!");}
25.08.14 5Gopi Krishnan, Society for Electronic Transactions & Security
Building & Running a Module
Makefile
objm += hello_kernel.oall: make C /lib/modules/$(shell uname r)/build M=$(PWD) modulesclean: make C /lib/modules/$(shell uname r)/build M=$(PWD) clean
# make# insmod hello_kernel.ko# lsmod | grep hello_kernel.ko# rmmod hello_kernel
25.08.14 6Gopi Krishnan, Society for Electronic Transactions & Security
printk()
● Similar to printf() in stdio.h
● Writes kernel log facility
● Severity
– 0 Emergency KERN_EMERG
– 1 Alert KERN_ALERT
– 2 Critical KERN_CRIT
– 3 Error KERN_ERR
– 4 Warning KERN_WARNING
– 5 Notice KERN_NOTICE
– 6 Informational KERN_INFO
– 7 Debug KERN_DEGUG
25.08.14 7Gopi Krishnan, Society for Electronic Transactions & Security
hello_log_facility.c
#include <linux/module.h>#include <linux/kernel.h>
int init_module (void) { printk (KERN_ERR "Hello!"); return 0;}
void cleanup_module (void) { printk (KERN_ERR "Goodbye!");}
25.08.14 8Gopi Krishnan, Society for Electronic Transactions & Security
Packet Mangling with Netfilter Framework
● Netfilter is collection of hooks in Linux network stack
● A packet can be dropped or mangled traversing through this framework
25.08.14 9Gopi Krishnan, Society for Electronic Transactions & Security
Netfilter Module
#include <linux/module.h>#include <linux/kernel.h>#include <linux/netfilter.h>#include <linux/netfilter_ipv4.h>
static struct nf_hook_ops pkt_ctrl;
int init_module (void) { pkt_ctrl.hook = custom_hook; pkt_ctrl.pf = PF_INET; pkt_ctrl.hooknum = NF_INET_PRE_ROUTING; pkt_ctrl.priority = NF_IP_PRI_FIRST; nf_register_hook (&pkt_ctrl); return 0;}
void cleanup_module (void) {
nf_unregister_hook (&pkt_ctrl);}
25.08.14 10Gopi Krishnan, Society for Electronic Transactions & Security
Custom Hook
unsigned int custom_hook(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff*)){ Return [ NF_DROP | NF_ACCEPT | NF_QUEUE ];}
25.08.14 11Gopi Krishnan, Society for Electronic Transactions & Security
Reading Headers
● IP Header
– struct iphdr *pkt_ip;
– pkt_ip = (struct iphdr *)skb_network_header(skb);
● TCP Header
– struct tcphdr *pkt_tcp;
– pkt_tcp = (struct tcphdr *)(skb_network_header(skb) + ip_hdrlen(skb));
25.08.14 12Gopi Krishnan, Society for Electronic Transactions & Security
Detailed Netfilter Traversal
25.08.14 13Gopi Krishnan, Society for Electronic Transactions & Security
Thank You