Comparison of linux Firewall implementation technologies (1)

This article takes ipchains, iptables, and checkpoint FW1 as an example to illustrate the differences between different implementations of firewalls in linux.
Basic Concepts
Before getting started, I will spend a little time explaining some basic concepts. Although the term firewall has not changed much over the years, if you have read only some documents in the early 1990s s, some concepts will confuse you. Only some of the most practical ones are listed here. They are not accurate definitions. I just try my best to make them easy to understand.
Package filtering:
A type of firewall. This system was described in a paper in 1980s. Traditional packet filtering functions are often seen on routers, while specialized firewall systems generally add function extensions, such as status detection. It checks the address, protocol, port, and other information of a single packet to determine whether to allow the packet to pass through.
Proxy:
A type of firewall. It works at the application layer and features two connections between browser and proxy, and between proxy and web server ). If you are still confused about the principle, we recommend that you use sniffer to capture the package. The proxy is not covered in this article.
Status detection:
Also known as dynamic packet filtering, It is a feature extension in traditional packet filtering, which was first proposed by checkpoint. Traditional packet filtering is difficult to use dynamic port protocols, such as ftp. You cannot know which ports need to be opened in advance. If you use the original static packet filtering and want to use this service, you need to enable all the ports that may be used, this is often a very large scope, which will bring unnecessary hidden dangers to the seat belt. Status detection checks the application information such as the ftp PORT and PASS command to determine whether the PORT must be opened temporarily. When the transfer ends, the port is immediately restored to disabled.
DMZ non-military zone:
For ease of configuration management, servers that need to provide external services on the Intranet are usually placed in a separate network segment, which is not a military zone. The firewall is generally equipped with three NICs. During configuration, the firewalls are connected to the Intranet, internet, and DMZ respectively.
Because of the superior geographical location of the firewall, it is usually at the key outlet of the network.) The firewall generally attaches NAT, address disguise, VPN, and other functions, which are not discussed in this article.
Detection site
Summary
Packet filtering requires checking the IP packet. Therefore, it works at the network layer, intercepts the IP packet, and compares it with user-defined rules.
Ipchains

In general, it can be divided into input detection, output detection, and forwarding detection. But when it comes to code, the output detection actually disperses several different upper-layer protocols to different processes at the IP layer ):
UDP/RAW/ICMP Packets: ip_build_xmit
TCP packet: ip_queue_xmit
Forwarded packet: ip_forward
Others: ip_build_and_send_pkt
As Rusty Russell, director of the ipchains project, said, shortly after starting ipchians, he found that the selected detection site location was wrong, and finally he could only make a mistake for the moment. An obvious problem is that the forwarded packet must be matched by three links in this structure. The address disguise function is too closely related to the firewall module. If you do not know the principle in detail, the configuration rules are prone to errors.

Iptables
The firewall system in the 2.4 kernel is not a simple enhancement of 2.2, but a complete rewrite, which has undergone great structural changes. Compared with the 2.2 kernel, the 2.4 detection point is changed to five.
Register the function to be processed on each detection point through nf_register_hook) and save it in the global variable nf_hooks. When this detection point is reached, the function that implements registration is executed according to a certain priority. Strictly speaking, netfilter is such a framework. You can register some processing functions at the appropriate position, many handler functions have been registered in the official code to search for nf_register_hook calls in the Code. For example, the package filtering function is registered on NF_IP_FORWARD.
FW1
FW1 is a firewall launched by chekpoint for the 2.2 kernel. The module File released by Alibaba Cloud contains a large amount of debugging information, which can be traced to many implementation details from the decompiled code.
FW1 uses the dev_add_pack method to load the input filter function. But there is a problem here: in net_bh (), the skbuff passed to the network layer is cloned, that is

skb2=skb_clone(skb, GFP_ATOMIC);if(skb2)pt_prev->func(skb2, skb->dev, pt_prev);

In this case, if you want to discard this package, it is not enough to free it, because it is only a copy of it.
How does FW1 solve this problem? See the following code for the C program translated from the assembly code ):

Packet_type * fw_type_list = NULL; static struct packet_type __constant_htons (ETH_P_IP), NULL,/* All devices */fw_filterin, NULL, NULL,/* next */}; fwinstallin (int isinstall) {packet_type * temp;/* install */if (isinstall = 0) {dev_add_pack (& fw_ip_packet_type); fw_type_list = fw_ip_packet_type> next; for (temp = fw_type_list; temp = temp-> temp) dev_remove_pack (temp);}/* uninstall */else {dev_remove_pack (& fw_ip_packet_type); for (temp = temperature; temp; temp = temp-> next) dev_add_pack (temp );}}

It is not hard to see that FW1 has loaded ip_packet_type, and then calls ip_recv in its own processing function (fw_filterin.
The output Mount method is the same as that of lkm. Change dev-> hard_start_xmit. The dev structure has changed once in the development process of Version 2.2. for compatibility with FW1, this is also done by checking the version number to get the offset ).
Another firewall product in linux, WebGuardhttp: // www.gennet.com.tw/b5/csub_webguard.html, uses a similar approach to FW1. If you are interested, you can study it on your own.