Shulou(Shulou.com)06/01 Report--

This article will explain in detail the example analysis of the Linux firewall framework. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

Netfilter in Linux system provides an abstract and universal framework. The implementation of a sub-function defined by this framework is packet filtering subsystem. The framework consists of the following five parts: 1. Define a set of hook functions for each network protocol (IPv4, IPv6, etc.) (IPv4 defines five hook functions), which are called at several key points where datagrams flow through the protocol stack. At these points, the protocol stack calls the Netfilter framework with Datagram and hook function labels as parameters.

two。 Any module in the kernel can register one or more hooks of each protocol to hook so that when a packet is passed to the Netfilter framework, the kernel can detect whether any module has registered the protocol and hook functions. If registered, the callback function used for the registration of the module is called, so that the modules have the opportunity to examine (and possibly modify) the packet, discard the packet, and instruct Netfilter to pass the packet into the user space queue.

3. Those queued packets are passed to the user space for asynchronous processing. A user process can examine the packet, modify the packet, and even re-inject the packet into the kernel through the same hook function that leaves the kernel.

4. Any IP packets that are to be discarded at the IP layer are checked before they are actually discarded. For example, allow the module to check the IP-Spoofed packet (abandoned by the route).

The locations of the five HOOK points in the 5.IP layer are as follows: (1) NF_IP_PRE_ROUTING: packets that have just entered the network layer pass through this point (just finished checking the version number, checksum, etc.), and the source address translation occurs at this point; IP_Rcv call in IP_Input.c (2) NF_IP_LOCAL_IN: after route lookup, it is sent to this checkpoint, where INPUT packet filtering is performed and called in IP_local_deliver; (3) NF_IP_FORWARD: packets to be forwarded pass through this checkpoint, and FORWORD packet filtering is carried out at this point (4) NF_IP_POST_ROUTING: all packets that are about to go out through the network equipment pass through this detection point, and the built-in destination address translation function (including address masquerading) is carried out at this point; (5) NF_IP_LOCAL_OUT: packets sent by the local process pass through this detection point, and OUTPUT packet filtering is carried out at this point.

These points are already defined in the kernel, and the kernel module can register processing at these HOOK points, which can be specified using the nf_register_hook function. Called when datagrams pass through these hook functions, so that the module can modify the datagrams and return values such as the following to Netfilter:

NF_ACCEPT continues to transmit datagrams normally

NF_DROP discards the Datagram and no longer transmits it

The NF_STOLEN module takes over the Datagram, do not continue to transmit the Datagram

The Datagram is queued by NF_QUEUE (usually used for processing by processes that report data to user space)

NF_REPEAT calls the hook function again

A Datagram selection system based on Netfilter framework called IPtables is used in the Linux2.4 kernel. It is actually the successor tool of IPchains, but it has stronger scalability. The kernel module can register a new rule table (table) and require datagrams to flow through the specified rule table. This Datagram is selected for Datagram filtering (filter table), network address translation (Nat table), and Datagram processing (Mangle table). The three Datagram processing functions provided by the Linux2.4 kernel are based on Netfilter's hook functions and IP tables. They are independent modules and are independent of each other. They are perfectly integrated into the framework provided by Netfileter.

Packet filtering

The Filter table does not modify the Datagram, but only filters the Datagram. One of the advantages of IPtables over IPchains is that it is smaller and faster. It is connected to the Netfilter framework through the hook functions NF_IP_LOCAL_IN, NF_IP_FORWARD and NF_IP_LOCAL_OUT. So there is only one place to filter any data report. This is a huge improvement over IPchains, where a forwarded Datagram traverses three chains in IPchains.

NAT

The NAT table listens for three Netfilter hook functions: NF_IP_PRE_ROUTING, NF_IP_POST_ROUTING, and NF_IP_LOCAL_OUT. NF_IP_PRE_ROUTING implements the address translation of the source address of the Datagram that needs to be forwarded, while NF_IP_POST_ROUTING translates the destination address of the packet that needs to be forwarded. The translation of the destination address of the local Datagram is implemented by NF_IP_LOCAL_OUT. NAT tables are different from filter tables because only the first Datagram with a new connection will traverse the table, and subsequent datagrams will perform the same conversion processing based on the results of the first Datagram. The NAT table is used in the source NAT, destination NAT, masquerade (which is a special case of the source NAT), and transparent proxy (which is a special case of the destination NAT).

Datagram processing (Packet Mangling)

The Mangle form is registered in the NF_IP_PRE_ROUTING and NF_IP_LOCAL_OUT hooks. Using the mangle table, you can modify the Datagram or attach some out-of-band data to the Datagram. The current mangle table supports modifying the TOS bit and setting the nfmard field of skb.

If we want to add our own code, we use the nf_register_hook function. Our job is to generate an instance of the struct nf_hook_ops structure and HOOK it with nf_register_hook. Among them, we always initialize the list item to {NULL,NULL}; because we usually work in the IP layer, pf is always the HOOK point we choose; a HOOK point may hang multiple processing functions, and whoever comes first depends on the priority, that is, the assignment of priority. The priority of the built-in handler is specified with an enumeration type in Netfilter_IPv4.h

This is the end of this article on "sample Analysis of Linux Firewall Framework". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.