Thoughts on dynamic protocol Tracking Mechanism

Dynamic protocol Tracking Mechanism

For example, the FTP dynamic protocol creates another associated connection through a control connection, while the Linux operating system does not implement this flexibly. The Code is as follows:

1. Static struct ip_conntrack_helper FTP [max_ports];
2. Static int _ init Init (void)
3. {
4. Int I, RET;
5. Char * tmpname;
7. If (ports [0] = 0)
8. Ports [0] = ftp_port;
9. // When the value of max_ports is 8, you must specify the source port when loading the module.
10. For (I = 0; (I <max_ports) & ports [I]; I ++ ){
11. FTP [I]. tuple. SRC. U. tcp. Port = htons (ports [I]);
12. FTP [I]. tuple. dst. protonum = ipproto_tcp;
13. FTP [I]. Mask. SRC. U. tcp. Port = 0 xFFFF;
14. FTP [I]. Mask. dst. protonum = 0 xFFFF;
15. FTP [I]. max_expected = 1;
16. FTP [I]. Timeout = 0;
17. FTP [I]. Flags = ip_ct_helper_f_reuse_reset CT;
18. FTP [I]. Me = ip_conntrack_ftp;
19. FTP [I]. Help = help;
21. Tmpname = & ftp_names [I] [0];
22. If (ports [I] = ftp_port)
23. Sprintf (tmpname, "ftp ");
24. Else
25. Sprintf (tmpname, "ftp-% d", ports [I]);
26. FTP [I]. Name = tmpname;
28. Debugp ("ip_ct_ftp: Registering helper for port % d/N ",
29. Ports [I]);
30. // Register ip_conntrack_helper
31. Ret = ip_conntrack_helper_register (& FTP [I]);
33. If (RET ){
34. Fini ();
35. Return ret;
36. }
37. Ports_c ++;
38. }
39. Return 0;
40. }

 

In this case, when FTP uses a large number of non-standard ports, the primary connection cannot properly record the corresponding connections. Therefore, there is a work und here, so that no connection can be found for all FTP master connections, register a helper_binding function to the application for identification (a module that determines the connection type based on the data packet content) when the application identifies the current connection as an FTP connection, it calls helper_binding to search by name and then associates the FTP ip_conntrack_helper with the master connection.

 

Set FTP [I]. mask. SRC. u. TCP. port = 0x0000;, because this assignment will cause all connections to not meet the requirements, so there should be no applications that conflict with this. In the init_conntrack function, the corresponding helper is searched for each primary connection. The Code is as follows:

/* Look up the conntrack helper for Master connections only */

If (! Expected)

Conntrack-> helper = ip_ct_find_helper (& repl_tuple );

In the end, this function will call helper_cmp, so we can modify this function to directly return it.

1. Static inline int
2. Helper_cmp (const struct ip_nat_helper * helper,
3. Const struct ip_conntrack_tuple * tuple)
4. {
5. // Added judgment code
6. If (helper-> mask. SRC. U. tcp. Port = 0 &
7. (Helper-> tuple. dst. protonum = ipproto_tcp | helper-> tuple. dst. protonum = ipproto_udp ))
8. Return 0;
9. Else
10. Return ip_ct_tuple_mask_cmp (tuple, & helper-> tuple, & helper-> mask );
11. }

 

After the connection is recognized as FTP by the application, the Help function is called in the corresponding ip_conntrack_in function of the backbread. The Code is as follows:

1. /* Netfilter hook itself .*/
2. Unsigned int ip_conntrack_in (unsigned int hooknum,
3. Struct sk_buff ** pskb,
4. Const struct net_device * In,
5. Const struct net_device * Out,
6. INT (* okfn) (struct sk_buff *))
7. {
8. Struct ip_conntrack * CT;
9. Enum ip_conntrack_info ctinfo;
10. Struct ip_conntrack_protocol * proto;
11. Int set_reply;
12. Int ret;
13. //...
14. //...
15. If (Ret! = Nf_drop & CT-> helper ){
16. // Call the help function
17. Ret = CT-> helper-> help (* pskb)-> NH. iph, (* pskb)-> Len,
18. CT, ctinfo );
19. If (ret =-1 ){
20. /* Invalid */
21. Nf_conntrack_put (* pskb)-> nfct );
22. (* Pskb)-> nfct = NULL;
23. Return nf_accept;
24. }
25. }
26. If (set_reply)
27. Set_bit (ips_seen_reply_bit, & CT-> status );
29. Return ret;
30. }