Famous commercial websites such as Yahoo, EBay, CNN.com, Amazon, Buy.com and E*trade have been attacked continuously by hackers, causing a loss of 1 billion of billions of dollars, and once again sounded the alarm that the network is unsafe. As a mechanism of enforcing access control between network and system, firewall is an important means to ensure network security. At present, a variety of commercial products in the community firewall is very much, the function is mostly very strong. We do not care about the price of these firewall products, because they focus on the development of the design process is the universality of the product, compatibility, consider more market and profit, so for some special application is not necessarily appropriate. If the user can according to their actual needs, the firewall design of the general theory and methods with their own system of concrete practice, design some small and fine, fine and strong firewall program, it can often play a more than a large price to buy a common type of firewall better role.
Because of the limitation of space, this paper is impossible to discuss the general theory and structure of the firewall, so the design method of firewall program is illustrated by the example of Linux system.
First, the Linux network from the point of view of programming
Writing a firewall program does not necessarily require a deep understanding of the Linux network kernel, just need to understand in the network kernel has such a mechanism, that is, the kernel can automatically invoke the user to write a firewall program, and according to the results of the firewall program returned to determine the network to send and receive datagram processing strategies.
Ii. How to register your own firewall program in the kernel
We already know that the kernel automatically invokes user-written firewall programs in the network layer. However, one prerequisite is that the user must correctly register the firewall program they have written to the kernel.
The kernel provides a registry and uninstall function for the firewall, Register_firewall and Unregister_firewall, respectively, see FIREWALL.C.
1, Register_firewall
The function prototype is as follows:
int register_firewall (int pf,struct firewall_ops *FW)
Return Value: 0 represents success, less than 0 indicates unsuccessful.
Parameters:
* The agreement Mark PF, the main value and its representative agreement as follows:
2 represents the Ipv4 protocol, 4 represents the IPX protocol, and 10 represents the Ipv6 protocol.
* The parameter structure FW is defined as follows:
struct firewall_ops{
struct Firewall_ops *next;
Int (*fw_forward) (struct firewall_ops *this, int pf,
struct device *dev, void *phdr, void *arg, struct sk_buff);
Int (*fw_input) (struct firewall_ops *this, int pf,
struct device *dev, void *phdr, void *arg, struct sk_buff);
Int (*fw_output) (struct firewall_ops *this, int pf,
struct device *dev, void *phdr, void *arg, struct sk_buff);