Shulou(Shulou.com)06/01 Report--

This article will explain in detail about the Linux firewall iptables mark module analysis and how to write, the content of the article is of high quality, so the editor to share with you to do a reference, I hope you have a certain understanding of the relevant knowledge after reading this article.

In order to better manage the network traffic in the linux system, the kernel mark is used to identify the network traffic. This causes the user layer to use mark to mark the multiline load, and the two kinds of mark will cover each other and fail to achieve the desired results. In this case, it is found that the mark module can be extended to resolve this conflict.

Analysis of the structure and Command format of 1 Iptables

1.1 structure analysis of Iptables

Iptables is a tool provided by linux system to configure firewall for users. It provides a set of naming rules. The core module of iptables firewall in linux is netfilter, which is responsible for maintaining the rule list of firewall and realizing the security defense capability of firewall. Netfilter has three main functions: packet filtering, network address translation (nat) and packet processing (mangle). The function of packet filtering module is to filter messages without any modification, either accept or reject. Nat is a network address translation, which is based on the connection tracking module. Only the first message of each connection is matched and processed, and then the connection tracking module applies the processing results to all messages after the connection. Mangle belongs to ip tables that can modify message content, including mark, tos, ttl and so on. At the same time, the module has an interface between user space and kernel communication.

1.2 Analysis of Iptables command format

One of the simplest rules can be described as rejecting all forwarded messages, which is indicated by the iptables command: iptables-A FORWORD-j DROP. The Iptables application converts the command-line input into a program-readable format, and then calls the iptc_commit () function provided by the libiptc library to submit the operation request to the core. It sets up a struct ipt_replace structure according to the request, which is used to describe the information such as tables and HOOK points involved in the rule, and is followed by the current rule, a struct ipt_entry structure. After the data is organized, iptc_commit () invokes the setsockopt () system call to start the core to process the request.

Structure analysis of 2 Netfilter

Netfilter is the kernel firewall framework in linux system, which mainly performs packet filtering, connection tracking and address translation, and is the foundation of the firewall. It is mainly realized by table and chain. In netfilter, each network protocol has its own set of hook functions. When the Datagram passes through several key points of the protocol stack, the hook function is called, and the hook function label and the protocol stack Datagram are passed to the netfilter framework as parameters. The main framework is shown in figure 1:

3 attribute analysis of related modules of Netfilter and Iptables

3.1 netfilter-related structures

A major revision idea of Netfilter is to take netfilter as a protocol-independent framework, which is shown in the kernel structure tree to establish a separate net/netfilter directory, and the matching under net/netfilter and the file name of the target module start with "xt_".

For compatibility with iptables, a new macro definition, module_alias, has been added to these files to represent the alias of the module. The names of all extenders also start with xt.

The program framework extended by Netfilter:

Xt_kzmark.c:

Static unsigned int kzmark_tg (struct sk_buff * skb, const struct xt_action_param * par)

Static int kzmark_tg_check (const struct xt_tgchk_param * par)

Static void kzmark_tg_destroy (const struct xt_tgdtor_param * par)

Static boool kzmark_mt (const struct sk_buff * skb, struct xt_action_param * par)

Static int kzmark_mt_check (const struct xt_mtchk_param * par)

Static void kzmark_mt_destroy (const struct xt_mtdtor_param * par)

Static struct xt_target kzmark_tg_reg _ _ read_mostly = {}

Static struct xt_match kzmark_mt_reg _ _ read_mostly = {}

Static int _ init kzmark_mt_init (void)

{Int ret

Need_ipv4_conntrack ()

Ret = xt_register_target (& kzmark_tg_reg)

Ret = xt_register_match (& kzmark_mt_reg);}

Static void_exit kzmark_mt_exit (void)

{Xt_unregister_match (& kzmark_mt_reg)

Xt_unregister_target (& kzmark_tg_reg);} Module_init (kzmark_mt_init)

Module_exit (kzmark_mt_exit)

3.2 extensions related to Iptables

Iptables is an application that users can configure stateful firewall by themselves, and its implementation is completed by extension. Its mechanism is similar to plug-ins and can effectively expand the function of iptables. Iptables is integrated by modularization, and all its functions are implemented in the module. For example, a very simple configuration item:-m state,-m is a match, while state is a module of match. For the match of-m, there are many other optional modules. In the iptables structure, modules and module names are related. The iptables code libxt_kzmark.c,libxt_KZMARK.c for this extension will be placed in the extension folder.

Program framework for matching modules:

Libxt_kzmark.c:

Static const struct option kzmark_opts [] = {}

Static void parse_range (const char * arg, struct xt_kzmark_mtinfo * si)

Static int kzmark_parse (int c, char * * argv, int invert, unsigned int * flags, const void * entry, struct xt_entry_match * * match)

Static void kzmark_print (const void * ip, const struct xt_entry_match * match, int numeric)

Static void kzmark_save (const void * ip, const struct xt_entry_match * match)

Static struct xtables_match kzmark_match = {/ / Todo something}

Void _ init (void)

{Xtables_register_match (& kzmark_match);}

4 the use and effect of the program

Use of Kzmark:

Iptables-An INPUT-d 192.168.1.11 kzmark 32-m kzmark-j DROP

Use of KZMARK:

Iptables-An INPUT-d 192.168.1.11 set-mark 32-j KZMARK-- set-mark 3000

Through the test of the above modules, the use effect is good. Netfilter/iptables can well extend the new matching module, but it requires users to write programs in a certain way to focus their attention on the specific implementation of the function, without considering other factors. The implementation of the specific program is modified on the basis of the ready-made matching module, and the coding can be completed without understanding the definition of the internal structure, so netfilter/iptables is a good example of program modularization and can be popularized and applied.

On the Linux firewall iptables mark module analysis and how to write to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.