1 Overview before analyzing the implementation of LINUX24x network security, we will briefly introduce several important concepts in LINUX24x: netfilter, iptables, match, target, nf_sockopt_ops
1. Overview
Before analyzing the implementation of LINUX2.4.x network security, we will briefly introduce several important concepts in LINUX2.4.x: netfilter, iptables, match, target, nf_sockopt_ops, and network security functions. The detailed explanation will be discussed in later analysis.
The first is netfilter, which defines the check points in the protocol stack and the data structures referenced at the check points, as well as the process of referencing these structures at the check points. Iptables defines the organization of rules for implementing network security functions and the operations on rules. A rule contains zero or more matches and one target. The rule organization follows the chain and rule concept in LINUX2.2.x, but adds the table concept. The relationship between the three is: table is the sum of all the rules to implement a function. chain is the set of rules referenced at a check point, and rule is a separate rule. Match is used in the rule to match various parameters in the data packet. each match matches a specific parameter. Therefore, a rule can have multiple matches, including the system-defined match, it also includes the match added through the kernel module. Target determines in the rule how to process the matched data packets, so it implements the specific network security function in target. Nf_sockopt_ops is a data structure referenced in get/setssockopt by the system call. it allows you to add, delete, modify, and query rules in a user space. The above structure must be registered to the system before it can be referenced.
LINUX2.4.x network security implements packet filtering, address conversion (including the address camouflage and transparent proxy functions in LINUX2.2.x, and other extension functions), connection tracking (this is the basis for realizing address conversion, it records and monitors the connection status, similar to status detection), Mangle (a new feature of LINUX2.4.x, it checks data packets but does not prohibit, discard, or allow the determination ). To implement these functions, you must register the data structures of netfilter, iptables, match, target, and nf_sockopt_ops. To implement other new functions, you only need to define the corresponding structure and register it to the system, and use the User space configuration tool (this configuration tool must also support the new structure) add it to the rule. These structures are automatically referenced in rules.
2. netfilter
Netfilter defines the data structures referenced by checkpoints and checkpoints in the protocol stack and the process of referencing these data structures. First, let's look at the data structure referenced at the check point.
Ns_hook_ops is the structure referenced at the check point. Each protocol stack pre-defined 8 linked list arrays are used to save these structures. these linked lists correspond to checkpoints in the protocol stack one by one. In practice, these eight linked lists are not always used. for example, in IPV4, only five checkpoints are defined, which correspond to the first five linked lists respectively. The structure of nf_hook_ops is as follows:
- Struct nf_hook_ops
- {
- Struct list_head list;
- Nf_hookfn hook;/* function pointer */
- Int pf;/* protocol stack number corresponding to the structure */
- Int hooknum;/* Check Point number corresponding to the structure */
- Int priority;/* structure priority */
- };
The nf_register_hook function registers the ns_hook_ops structure to these linked lists. The index of the linked list is specified by hooknum in the structure. The structures on the same linked list are sorted by priority values from small to large. When these structures are referenced at the check point, they are referenced sequentially on the linked list.
The checkpoint is defined by the macro NF_HOOK. At the check point, the function nf_hook_slow calls the function nf_iterate to traverse the corresponding linked list and calls the function defined in the structure ns_hook_ops on the linked list. If the function in the structure returns NF_ACCEPT, the function in the next structure will be called. if the function in the structure returns NF_DROP, NF_STOLEN, or NF_QUEUE, the value will be returned to nf_hook_slow; if the function in the structure returns NF_REPEAT, the function in this structure will be called again. if the function is in the last structure of the linked list, the return value of the function in this structure will be returned to ns_hook_slow. Determine the returned value of nf_iterate in ns_hook_slow. if it is NF_ACCEPT, the data packet is allowed to pass and the data packet is passed to the next function in the protocol stack. if it is NF_DROP, the data packet is released, the protocol stack process is interrupted. if NF_STOLEN is used, the protocol stack process is also interrupted, but the packet is not released. if NF_QUEUE is used, the packet is sent to the user space for processing, the process of interrupting the protocol stack at the same time.
The checkpoint is distributed in the protocol stack. the IPV4 checkpoint name is as follows:
Checkpoint no. checkpoint name checkpoint file name
1 NF_IP_PRE_ROUTING ip_input.c
2 NF_IP_LOCAL_IN ip_input.c
3 NF_IP_FORWARD ip_forward.c
4 NF_IP_POST_ROUTING ip_output.c
5 NF_IP_LOCAL_OUT ip_output.c
Table 2.1 IPV4 checkpoint name
In the figure, ROUTE (1) performs a ROUTE query on the received package and determines whether the package needs to be forwarded or sent to the upper-layer package of the local machine. ROUTE (2) find the route for the sent package. The NF_IP_PRE_ROUTING field checks all packets passed into the IP layer. Before that, the packet version, length, checksum, and other correctness checks have been completed. NF_IP_LOCAL_IN checks the packets sent to the upper layer of the local machine. Note the differences between these two checkpoints and those in LINUX2.2.x. in LINUX2.2.x, there is no difference between the packages sent to the upper layer of the local host and those to be forwarded, therefore, after the address disguise is completed, a route lookup function is called again to find the route for the packets after the disguise is solved.
Check the data packets to be forwarded at NF_IP_FORWARD. NF_IP_POST_ROUTING checks all data packets transmitted to the link layer. Note that the route of the data packets is determined. NF_IP_LOCAL_OUT checks the packets sent from the local machine. the route here is not yet determined, so the destination address can be converted. To implement a network security function, you may need to register the corresponding structure on multiple check points. in the following analysis, we can see the specific example.