Framework analysis of firewall in Linux system _unix Linux

NetFilter provides an abstract, general-purpose framework that defines the implementation of a child function that is the packet filtering subsystem. The NetFilter framework consists of the following five parts:

1. Define a hook function for each network protocol (IPV4, IPV6, etc.) (IPV4 defines 5 hook functions), which are invoked at several key points in the datagram flow through the stack. In these several points, the protocol stack will call the datagram and hook function labels as parameters of the NetFilter framework.

2. Any module of the kernel can register one or more hooks for each protocol to implement the hook, so that when a packet is passed to the NetFilter framework, the kernel can detect if any module registers the protocol and the hook function. If registered, calls the callback function used when the module is registered, so that the modules have the opportunity to check (and possibly modify) the packet, discard the packet, and instruct NetFilter to pass the packet into the user's space.

3. The queued packets are processed asynchronously to the user's space. A user process can examine the packet, modify the packet, or even reuse the packet into the kernel by leaving the same hook function from the kernel.

4. Any IP packets that are discarded at the IP layer should be checked before they are really discarded. For example, the module is allowed to check for ip-spoofed packets (routed discarded).

The position of the five hook points in the 5.IP layer is as follows:

1. nf_ip_pre_routing: Just enter the network layer of packets through this point (just finished version number, checksum and so on detection), the source address conversion at this point, ip_input.c in the IP_RCV call.

2. Nf_ip_local_in: After the route lookup, sent to the machine through this checkpoint, input packet filtering at this point; Ip_local_deliver call

3. Nf_ip_forward: Packets to be forwarded through this checkpoint, ForWord packet filtering at this point;

4. Nf_ip_post_routing: All immediately to go out through the network of packets through this checkpoint, the built-in destination address translation function (including address camouflage) at this point;

5. Nf_ip_local_out: The package emitted by the local process passes through this checkpoint, and the output packet is filtered at this point.

These points are already defined in the kernel, and kernel modules are able to register the processing at these hook points, which can be specified using the Nf_register_hook function. Called when the datagram passes through these hook functions, the module can modify the datagram and return the following values to the NetFilter:

Nf_accept continue normal transmission datagrams

Nf_drop discard the datagram and no longer transmit

Nf_stolen module takes over the datagram and does not continue to transmit the datagram

Nf_queue The datagram (typically used to process a datagram to a user's space)

Nf_repeat Call the hook function again

A netfilter framework, called Iptables, is used in the Linux2.4 kernel, which is the successor tool of IPChains, but it is more extensible. The kernel module can register a new rule table (table) and require the datagram to flow through the specified rules table. This datagram is chosen for the implementation of datagram filtering (filter table), Network address translation (NAT table) and datagram processing (mangle table). The three datagrams provided by the Linux2.4 kernel are based on NetFilter hook functions and IP tables. They are self-contained modules that are independent of each other. They are all perfectly integrated into the framework provided by Netfileter.

Packet filter

The filter table does not modify the datagram and only filters the datagram. One aspect of Iptables superior to IPChains is that it is smaller and faster. It is through the hook function nf_ip_local_in, Nf_ip_forward and Nf_ip_local_out access NetFilter framework. So there is only one place for any datagram to filter it. This is a huge improvement relative to ipchains, because in IPChains a forwarded datagram traverses three strands.

Nat

The NAT form listens for three netfilter hook functions: nf_ip_pre_routing, Nf_ip_post_routing, and Nf_ip_local_out. Nf_ip_pre_routing implements address translation of the source address of the datagram that needs to be forwarded, and nf_ip_post_routing addresses the destination address of the packet that needs to be forwarded. The conversion of the destination address for the local datagram is implemented by Nf_ip_local_out. The NAT table differs from the filter table because only the first datagram of the new connection will traverse the table, and subsequent datagrams will have the same conversion process based on the results of the first datagram. NAT tables are used in source NAT, Destination NAT, camouflage (which is a special case of source NAT) and transparent proxies (a special case of the destination NAT).

Datagram Processing (Packet mangling)

The Mangle form is registered in the nf_ip_pre_routing and nf_ip_local_out hooks. Using the Mangle table, you can make changes to the datagram or attach some out-of-band data to the datagram. The current Mangle table supports modifying the TOS bit and setting SKB nfmard fields.

SOURCE Analysis

If we want to add our own code, we need to use the Nf_register_hook function, whose function prototype is:

int Nf_register_hook (struct nf_hook_ops *reg)

struct NF_HOOK_OPS

{

struct List_head list;

/* User fills in from. */

NF_HOOKFN *hook;

int PF;

int hooknum;

/* Hooks are ordered in ascending priority. */

int priority;

};

Our job is to create an example of a struct nf_hook_ops structure and hook it up with Nf_register_hook. One of the list items we will always initialize to {null,null}; As a general work in the IP layer, PF is always pf_inet;hooknum is our choice of Hook Point; a hook point may hang multiple processing functions, who first, then to see priority, That is, the designation of priority. NETFILTER_IPV4.H specifies the precedence of a built-in handler function with an enumeration type:

Enum Nf_ip_hook_priorities {

Nf_ip_pri_first = Int_min,

Nf_ip_pri_conntrack =-200,

Nf_ip_pri_mangle =-150,

NF_IP_PRI_NAT_DST =-100,

Nf_ip_pri_filter = 0,

NF_IP_PRI_NAT_SRC = 100,

Nf_ip_pri_last = Int_max,

};

The hook is the provided handler, which is our main work, and its prototype is:

unsigned int nf_hookfn (unsigned int hooknum,

struct Sk_buff **skb,

const struct Net_device *in,

const struct Net_device *out,

Int (*OKFN) (struct sk_buff *));

Its five parameters will be passed through the Nfhook macro.

Nf_register_hook finds the appropriate location in Nf_hooks and inserts it into this table according to the protocol cluster type and priority registered in Reg. struct List_head Nf_hooks[nproto][nf_max_hooks] at NetFilter initialization (NETFILTER_INIT/NETFILTER.C, which in Sock_ Init when called) has been initialized to an empty table.

For example, Iptable calls Nf_register_hook to register his hook function at initialization time (INIT/IPTABLE_FILTER.C).

static struct Nf_hook_ops ipt_ops[]

= {{{null, null}, Ipt_hook, Pf_inet, nf_ip_local_in, Nf_ip_pri_filter},

{{null, null}, Ipt_hook, Pf_inet, Nf_ip_forward, Nf_ip_pri_filter},

{{null, null}, Ipt_local_out_hook, Pf_inet, Nf_ip_local_out,

Nf_ip_pri_filter}

};

Mangle registers its own hook function in the init/iptable_mangle.c.

static struct Nf_hook_ops ipt_ops[]

= {{{null, null}, Ipt_hook, Pf_inet, nf_ip_pre_routing, Nf_ip_pri_mangle},

{{null, null}, Ipt_local_out_hook, Pf_inet, Nf_ip_local_out,

Nf_ip_pri_mangle}

};

NAT registers its own hook function in the init/ip_nat_standalone.c

* * Before the packet filter, change the destination address * *

static struct Nf_hook_ops ip_nat_in_ops