How to implement the image port in Linux

One or more mirror ports can be configured on all high-end models, most middle-end models, and some low-end vSwitch routers. it is a powerful tool for traffic analysis. However, there is no ready-made technology in Linux to implement the image Port. of course, I am not referring to Linux3x (x is a few,

One or more mirror ports can be configured on all high-end models, most middle-end models, and some low-end vswitches/routers. it is a powerful tool for traffic analysis. However, there is no ready-made technology on Linux to implement the image Port. of course, I am not referring to Linux 3.x( x is a few, forget) or above. These kernels already support the image, but not good enough. At least 2.6.35 kernel is not supported, so what kind of soft switch is implemented by Linux? The key is that many high-end network products are also implemented based on Linux, and there is no image Port. even if you do not use Linux bridge, you also hope to have a technology to implement the image port.

1. confirm your image port, such as eth5;

Implementation of xt_TEE

In xtables-addons, an xt_TEE implementation is available. in manual, there is a clear configuration:
-T mangle-a prerouting-I eth0-j TEE -- gateway 2001: db8: 1
-J TEE -- dev ethX, ethY, ethZ

Forward

At first, the goal of writing this module was not to create an image port, but to copy one data packet to two copies. that's all. In fact, it was intended to be a packet capture module implemented by Netfilter, compared with pcap packet capture, pcap can only capture packets sent to the local machine, although it may violate the original meaning of packet capture, but that's just a word! In most cases, packet capture is not intended to sniff others' data, but to solve problems related to myself, this requires filtering out the data sent to all ports due to the expiration of the MAC ING of the switch, which requires a lot of tcpdump rules.

Packets cannot be sniffed!

Implementation

This implementation consists of four parts, including a kernel module file, a user-state iptables library file, a struct definition header file, and a set of makefiles. The code is completely created in accordance with the xtables-addons specification.

Struct definition header file: xt_CLONE.h
# Ifndef _ plugin # define _ LINUX_NETFILTER_XT_CLONEMARK_H 1 struct xt_clonemark_tginfo {_ u32 mark;}; # endif/* _ LINUX_NETFILTER_XT_CLONEMARK_H */

Kernel Module: xt_CLONE.c
/** This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License; either * version 2 of the License, or any later version, as published by the * Free Software Foundation. */# include # Include # Include # Include # Include "xt_CLONE.h" # include # Include "compat_xtables.h" struct sk_buff_head clq; static struct tasklet_struct numeric; static void numeric (unsigned long data) {struct sk_buff_head * pcscsi = (struct sk_buff_head *) data; struct net_device * old_dev = NULL; struct net_device * new_dev = NULL; do {struct sk_buff * skb = skb_dequeue_tail (pcscsi); old_dev = skb_dst (skb)-> dev; if (ip_route_me_harder (& skb, RTN_UNSPEC )) {Kfree_skb (skb);} new_dev = skb_dst (skb)-> dev; if (old_dev! = New_dev) {ip_local_out (skb);} else {kfree_skb (skb) ;}} while (! Skb_queue_empty (pcscsi);} static unsigned int clone_tg6 (struct sk_buff ** poldskb, const struct xt_action_param * par) {// TODO return XT_CONTINUE ;;} static unsigned int clone_tg4 (struct sk_buff ** poldskb, const struct regular * par) {const struct regular * markinfo = par-> targinfo; struct sk_buff * newskb; _ u32 mark; _ u32 qlen; qlen = skb_queue_len (& clq); // control the total amount! If (qlen> 1000/* sysctl parameter control */) {return XT_CONTINUE;} mark = markinfo-> mark; newskb = pskb_copy (* poldskb, GFP_ATOMIC ); if (newskb = NULL) return XT_CONTINUE; // The purpose of the FORWARD chain is to rest assured that reroute, the key lies in the re prefix // skb_dst_drop (newskb ); // discard the connection trace, but initialize a pseudo connection trace for notrack # if defined (CONFIG_NF_CONNTRACK) | defined (CONFIG_NF_CONNTRACK_MODULE) # include Nf_conntrack_put (newskb-> nfct); newskb-> nfct = & gt; newskb-> nfctinfo = IP_CT_NEW; locate (newskb-> nfct); # endif newskb-> mark = mark; skb_queue_head (& clq, newskb); tasklet_schedule (& clone_xmit_tasklet); return XT_CONTINUE;} static struct xt_target clone_tg_reg [] _ read_mostly = {{. name = "CLONE ",. revision = 0 ,. family = NFPROTO_IPV6 ,. table = "filter ",. target = clone_tg6 ,. targetsize = sizeof (struct xt_clonemark_tginfo ),. me = THIS_MODULE ,},{. name = "CLONE ",. revision = 0 ,. family = NFPROTO_IPV4 ,. table = "filter ",. target = clone_tg4 ,. targetsize = sizeof (struct xt_clonemark_tginfo ),. me = THIS_MODULE, },}; static int _ init clone_tg_init (void) {skb_queue_head_init (& clq); tasklet_init (& Activities, clone_xmit_work, (unsigned long) & clq ); return response (response, ARRAY_SIZE (clone_tg_reg);} static void _ exit clone_tg_exit (void) {tasklet_kill (& found); return response (response, ARRAY_SIZE (clone_tg_reg ));} module_init (clone_tg_init); module_exit (clone_tg_exit); MODULE_AUTHOR ("Wangran "); MODULE_DESCRIPTION (" Xtables: CLONE packet target "); MODULE_LICENSE (" GPL "); MODULE_ALIAS (" ip6t_CLONE "); MODULE_ALIAS (" ipt_CLONE ");
Iptables module: libxt_CLONE.c
/** This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License; either * version 2 of the License, or any later version, as published by the * Free Software Foundation. */# include # Include # Include # Include "xt_CLONE.h" # include "compat_user.h" enum {FL_MARK_USED = 1 <0,}; static const struct option clonemark_tg_opts [] = {{. name = "mark ",. has_arg = true ,. val = '1'}, {NULL},}; static void clonemark_tg_init (struct xt_entry_target * t) {struct xt_clonemark_tginfo * info = (void *) t-> data; info-> mark = ~ 0U;} static void clone_tg_help (void) {printf ("CLONE -- mark \ n");} static int clone_tg_parse (int c, char ** argv, int invert, unsigned int * flags, const void * entry, struct xt_entry_target ** target) {struct xt_clonemark_tginfo * info = (void *) (* target)-> data; unsigned int n; switch (c) {case '1': xtables_param_act (XTF_ONLY_ONCE, "CLONE", "-- mark", * flags & FL_MARK_USED); xtables_param_act (XTF_NO_INVERT, "CLONE", "-- mark", invert); if (! Xtables_strtoui (optarg, NULL, & n, 0 ,~ 0U) xtables_param_act (XTF_BAD_VALUE, "CLONE", "-- mark", optarg); info-> mark = n; * flags | = FL_MARK_USED; return true;} return false ;} static void clone_tg_check (unsigned int flags) {// TODO} static void clonemark_tg_save (const void * entry, const struct xt_entry_target * target) {const struct detail * info = (const void *) target-> data; printf ("-- mark 0x % x", (_ u32) info-> mark);} static struct xtables_target clone_tg_reg = {. version = XTABLES_VERSION ,. name = "CLONE ",. family = NFPROTO_UNSPEC ,. size = XT_ALIGN (sizeof (struct xt_clonemark_tginfo )),. userspacesize = XT_ALIGN (sizeof (struct xt_clonemark_tginfo )),. init = clonemark_tg_init ,. save = clonemark_tg_save ,. help = clone_tg_help ,. parse = clone_tg_parse ,. final_check = clone_tg_check ,. extra_opts = clonemark_tg_opts,}; static _ attribute _ (constructor) void clone_tg_ldr (void) {xtables_register_target (& clone_tg_reg );}

Compile:
Obj-$ {build_CLONE} + = xt_CLONE.o
Obj-$ {build_CLONE} + = libxt_CLONE.so
Build_CLONE = m
Make & make install,

Why is the filter table used? Because the filter table is executed after the route, it is convenient to call the reroute interface function ip_route_me_harder. This function is exported as a kernel interface and can be called directly. Before doing so, I tried to call the ip_queue_xmit function directly. However, I found that only the packets departing from the local machine will pass through this path. Therefore, I need to bind a socket to the skb, this is undoubtedly an increase in workload. later, I thought of calling the ip_rcv_finish function directly, but this function was not exported. I need to check the address of this function in procfs before loading the module, then pass in the module. this method is not standard. later, it is natural to call the ip_route_me_harder interface function. However, this function requires skb to have a dst_entry (this is normal, the re prefix in reroute indicates that skb has been routed once.) Therefore, it must be called after the route, obviously, the processing location falls into the middle of the HOOK point of Netfilter and the saddle surface of the route. it can only be done in the filter table. after re-routing, you can directly call ip_local_out to issue it from the third layer.

The protocol stack itself, that is, calling the function of the protocol stack, because the protocol stack itself is doing this, and never implement it in its own code, if you think you can achieve a better result, you can directly change the protocol stack.

Limitations
 
This implementation is still limited. after all, the implementation is too high-level, and it will change the MAC header of the data packet, but it does not matter for in-depth parsing of the content at the application layer. In addition, you need to do three jobs on the local machine. The first is to set the CLONE rule and determine the mark, and the second is to set the policy route according to the mark, the third is to disable arp of the egress device to which the policy route points. In addition to the work done by the local machine, you must enable the hybrid mode on the receiving interface of the machine that receives the image data.