Linux-Module Programming preliminary

The course design of computer network to do the firewall, the teacher did not restrict what system above do, so decided to implement on Linux. Find a bit of relevant information, found that in fact, Linux has provided netfilter/iptables, to provide users with firewall features, a little look at the use of Iptables can easily configure the user wants the firewall, but it seems only to do filtering, data Report modification and network address translation Doesn't seem to be able to get the information in it, and to look at other people's questions or blogs on the internet as if they want to do similar functions or need to use netfilter directly. If you want to use Netfiler, you need to write the hook function, the process has to avoid writing modules. So here's a note of some of the attempts I've made and the problems I've encountered in this process.

Platforms used: Ubuntu 14.10

Kernel version: 3.16.0-23-generic (this is important ah, not the kernel may be different functions, most of the online tutorial with the kernel version is 2.6)

2015.4.23

The first time I was writing a Hello world, when loading the module and removing the module output each time, here is to follow the online tutorial written.

The code is as follows:

1#include <linux/module.h>2#include <linux/kernel.h>3#include <linux/init.h>4 5 6 Static int__init Lkp_init (void);7 Static int__exit Lkp_exit (void);8 9 Static int__init Lkp_init (void){TenPrintk"<1>hello,world!\n"); One         return 0; A } -  - Static int__exit Lkp_exit (void){ thePrintk"<2>hello,world!\n"); -         return 0; - } -  + Module_init (lkp_init); -Module_exit (Lkp_exit);

Makefile:

1 Ifneq ($ (kernelrelease),)2mymodule-objs:=hello.c3Obj-m + =hello.o4 5 Else6PWD: = $ (shellpwd)7Kver: = $ (shelluname-R)8Kdir: =/lib/modules/$ (kver)/Build9 Ten All : One$ (make)-C $ (kdir) m=$ (PWD) A Clean : -     RM-RF *.o *.mod.c *.ko *.symvers *order *.markers * -endif

Make once and then load the module: sudo insmod Hello.ko

Use the command DMESG to see the output when it is loaded.

Removal module: sudo rmmod Hello.ko

Use DMESG again to see the output at the time of removal.

Here is how this makefile is executed, why need to use DMESG to see the output of the problem I do not write, because these can be found on the internet and can be more clearly explained, I intend to write some of the problems I encountered.

2015.4.26

Start writing functions related to NetFilter, the first one written in accordance with the example of other people's tutorials to write the program. Write a hook to mount on the local_out. The next packet is then intercepted at every four packets sent out.

The code is as follows:

1 #ifndef __kernel__2 #define__kernel__3 #endif4 #ifndef MODULE5 #defineMODULE6 #endif7#include <linux/module.h>8#include <linux/kernel.h>9#include <linux/netfilter.h>Ten#include <linux/netfilter_ipv4.h> One  A Static intCount=0; -  - StaticUnsignedintFunc (unsignedintHooknum,structSk_buff **SKB,Const structNet_device *inch,Const structNet_device * out,int(*OKFN) (structSk_buff *)){ theCount= (count+1)%5; -     if(count==0){ -         returnNf_drop; -     } +     returnnf_accept; - } +  A Static structnf_hook_ops Nfho; at  - Static int__init Myhook_init (void){ -Nfho.hook =func; -Nfho.owner =This_module; -NFHO.PF =pf_inet; -Nfho.hooknum =nf_inet_local_out; inNfho.priority =Nf_ip_pri_first; -     returnNf_register_hook (&nfho); to } +  - Static void__exit Myhook_fini (void){ theNf_unregister_hook (&nfho); * } $ Panax Notoginseng Module_init (myhook_init); -Module_exit (Myhook_fini);

Makefile:

1 Ifneq ($ (kernelrelease),)2mymodule-objs:=test0.c3Obj-m + =TEST0.O4 5 Else6PWD: = $ (shellpwd)7Kver: = $ (shelluname-R)8Kdir: =/lib/modules/$ (kver)/Build9 Ten All : One$ (make)-C $ (kdir) m=$ (PWD) modules A Clean : -     RM-RF *.o *.mod.c *.ko *.symvers *order *.markers * -endif

The problem is, if it is written according to other examples on the internet, make will say Nf_ip_local_out can't find it. Of course there is a warning that Nfho.hook = func has a problem, this may have to see how to write it will not be warned, here ignore this warning no problem. We continue to say Nf_ip_local_out, open the directory to save all the header files, found that the macro definition has Ah, in the linux/netfilter_ipv4.h inside, is from Uapi/linux/netfilter_ Ipv4.h included, but there is a problem here, it is ifndef __kernel__ "endif wrapped, so it was not included in the compilation, such as the following code:

1 #ifndef __kernel__2 3#include <limits.h>/*for Int_min, Int_max*/4 5 /*IP Cache bits.*/6 /*SRC IP address.*/7 #defineNFC_IP_SRC 0x00018 /*Dest IP address.*/9 #defineNFC_IP_DST 0x0002Ten /*Input device.*/ One #defineNfc_ip_if_in 0x0004 A /*Output device.*/ - #defineNfc_ip_if_out 0x0008 - /*TOS.*/ the #defineNfc_ip_tos 0x0010 - /*Protocol.*/ - #defineNfc_ip_proto 0x0020 - /*IP options.*/ + #defineNfc_ip_options 0x0040 - /*Frag & Flags.*/ + #defineNfc_ip_frag 0x0080 A  at /*Per-protocol information:only matters if Proto match.*/ - /*TCP flags.*/ - #defineNfc_ip_tcpflags 0x0100 - /*Source Port.*/ - #defineNfc_ip_src_pt 0x0200 - /*Dest Port.*/ in #defineNfc_ip_dst_pt 0x0400 - /*Something Else about the proto*/ to #defineNfc_ip_proto_unknown 0x2000 +  - /*IP Hooks*/ the /*After Promisc drops, checksum checks.*/ * #defineNf_ip_pre_routing 0 $ /*If The packet is destined for this box.*/Panax Notoginseng #defineNf_ip_local_in 1 - /*If The packet is destined for another interface.*/ the #defineNf_ip_forward 2 + /*Packets coming from a local process.*/ A #defineNf_ip_local_out 3 the /*Packets The wire.*/ + #defineNf_ip_post_routing 4 - #defineNf_ip_numhooks 5 $ #endif/* ! __kernel__ * *

Cause: In the 2.6.22 and later kernels, both nf_ip_pre_routing and nf_ip6_pre_routing are placed in the user state, and nf_inet_pre_routing must be used uniformly in the kernel-state programming.

So the solution is to use the nf_inet_xxxxxxx to replace the relevant macros on the line.

It pits me for a long time.

After modifying the later compile again, and then load the module, ping, and then appear the effect, every five packets will have a send out.

/************************************************************************************************************** ****************************************************************************/

Continuous update ...

Linux-Module Programming preliminary