Tutorial 2. Linux networking, sk_buff and stateless packet filtering. Roei Ben-Harush Check Point Software Technologies Ltd.

Similar documents
Operating Systems. 17. Sockets. Paul Krzyzanowski. Rutgers University. Spring /6/ Paul Krzyzanowski

Networking Subsystem in Linux. Manoj Naik IBM Almaden Research Center

Lecture 1. Virtualization, Linux kernel (modules and networking) and Netfilter Winter 15/16. Roei Ben-Harush 2015

Overview. Administrative. * HW# 5 Due next week. * HW# 5 : Any Questions. Topics. * Client Server Communication. * 12.

I experiment on the kernel of linux environment.

Socket Programming. Joseph Cordina

I experiment on the kernel of linux environment.

Types (Protocols) Associated functions Styles We will look at using sockets in C Java sockets are conceptually quite similar

Socket Programming. Dr. -Ing. Abdalkarim Awad. Informatik 7 Rechnernetze und Kommunikationssysteme

Tutorial on Socket Programming

SOCKET PROGRAMMING. What is a socket? Using sockets Types (Protocols) Associated functions Styles

Any of the descriptors in the set {1, 4} have an exception condition pending

A practical introduction to XDP

What is a Linux Device Driver? Kevin Dankwardt, Ph.D. VP Technology Open Source Careers

Building socket-aware BPF programs

UNIT 1 TCP/IP PROGRAMMING CONCEPTS

Linux Kernel Application Interface

DPDK+eBPF KONSTANTIN ANANYEV INTEL

Overview. Last Lecture. This Lecture. Daemon processes and advanced I/O functions

Socket Programming for TCP and UDP

External Data Representation (XDR)

Linux Kernel Application Interface

Final Step #7. Memory mapping For Sunday 15/05 23h59

Ports under 1024 are often considered special, and usually require special OS privileges to use.

Once Only Drop Capability in the Linux Routing Software

Network Software Implementations

Socket Programming. What is a socket? Using sockets. Types (Protocols) Associated functions Styles

Introduction to Computer Systems. Networks 2. c Theodore Norvell. The Sockets API

Chapter 10: I/O Subsystems (2)

Simple network applications using sockets (BSD and WinSock) Revision 1 Copyright Clifford Slocombe

Chapter 10: I/O Subsystems (2)

Lecture 8: Other IPC Mechanisms. CSC 469H1F Fall 2006 Angela Demke Brown

Topics. Lecture 8: Other IPC Mechanisms. Socket IPC. Unix Communication

Motivation of VPN! Overview! VPN addressing and routing! Two basic techniques for VPN! ! How to guarantee privacy of network traffic?!

Processes communicating. Network Communication. Sockets. Addressing processes 4/15/2013

Introduction to Socket Programming

Network Implementation

Socket Programming. CSIS0234A Computer and Communication Networks. Socket Programming in C

Socket Programming. Sungkyunkwan University. Hyunseung Choo Copyright Networking Laboratory

CSE 333 SECTION 3. POSIX I/O Functions

Linux Firewall Exploration Lab

CS 465 Networks. Disassembling Datagram Headers

Combining ktls and BPF for Introspection and Policy Enforcement

===Socket API User/ OS interface === COP

Networks and Operating Systems ( ) Chapter 10: I/O Subsystems (2)

12.0 Appendix tcpip.c. /* File name: tcpip.c This file just provides big buffer memory location For other modules to print */

CS 326: Operating Systems. Networking. Lecture 17

What is Netfilter. Netfilter. Topics

System Programming. Sockets

Our Small Quiz. Chapter 9: I/O Subsystems (2) Generic I/O functionality. The I/O subsystem. The I/O Subsystem.

Introduction to Socket Programming

CLIENT-SIDE PROGRAMMING

CSE 333 Lecture 16 - network programming intro

Linux IP Networking. Antonio Salueña

Assignment 2 Group 5 Simon Gerber Systems Group Dept. Computer Science ETH Zurich - Switzerland

TCP: Three-way handshake

{ } Embedded Montreal Meetup. Char *lecture = Lecture 2 Deep Packet Inspection in Userspace ;

Ethernet library version V3.5 with TCP/IP Stack MCU family PIC18F97J60 and ENC28J60 MikroBasic

Socket Programming TCP UDP

CS321: Computer Networks Introduction to Application Layer

IP Addresses, DNS. CSE 333 Summer Teaching Assistants: Renshu Gu William Kim Soumya Vasisht

ECE 435 Network Engineering Lecture 2

Session NM056. Programming TCP/IP with Sockets. Geoff Bryant Process software

WinSock. What Is Sockets What Is Windows Sockets What Are Its Benefits Architecture of Windows Sockets Network Application Mechanics

IP Addresses, DNS. CSE 333 Spring Instructor: Justin Hsia

17: Filesystem Examples: CD-ROM, MS-DOS, Unix

CS 378 (Spring 2003)

Our Small Quiz. Chapter 10: I/O Subsystems (2) Generic I/O functionality. The I/O subsystem. The I/O Subsystem. The I/O Subsystem

Sockets Sockets Communication domains

The Berkeley Sockets API. Networked Systems Architecture 3 Lecture 4

we are here I/O & Storage Layers Recall: C Low level I/O Recall: C Low Level Operations CS162 Operating Systems and Systems Programming Lecture 18

Socket Programming. #In the name of Allah. Computer Engineering Department Sharif University of Technology CE443- Computer Networks

Question Score 1 / 19 2 / 19 3 / 16 4 / 29 5 / 17 Total / 100

Implementing the Wireless Token Ring Protocol As a Linux Kernel Module

EECS122 Communications Networks Socket Programming. Jörn Altmann

Hybrid of client-server and P2P. Pure P2P Architecture. App-layer Protocols. Communicating Processes. Transport Service Requirements

AC72/AT72/AC117/AT117 LINUX INTERNALS DEC 2015

jelly-near jelly-far

Application Programming Interfaces

we are here Page 1 Recall: How do we Hide I/O Latency? I/O & Storage Layers Recall: C Low level I/O

UNIT IV- SOCKETS Part A

Disk divided into one or more partitions

Operating System Concepts Ch. 11: File System Implementation

How To Write a Linux Security Module That Makes Sense For You. Casey Schaufler February 2016

Data Storage. August 9, Indiana University. Geoffrey Brown, Bryce Himebaugh 2015 August 9, / 19

ADRIAN PERRIG & TORSTEN HOEFLER ( ) 10: I/O

CSE 333 Lecture network programming intro

Network Programming. Introduction to Sockets. Dr. Thaier Hayajneh. Process Layer. Network Layer. Berkeley API

L41 - Lecture 5: The Network Stack (1)

Chapter 12 IoT Projects Case Studies. Lesson-01: Introduction

Open Source support for OSD

System that permanently stores data Usually layered on top of a lower-level physical storage medium Divided into logical units called files

CSE 333 Section 8 - Client-Side Networking

High Speed Packet Filtering on Linux

The bigger picture. File systems. User space operations. What s a file. A file system is the user space implementation of persistent storage.

The TCP Protocol Stack

A Client-Server Exchange

EVASIVE INTERNET PROTOCOL: END TO END PERFORMANCE

Chapter 4 - Files and Directories. Information about files and directories Management of files and directories

Group-A Assignment No. 6

Transcription:

Tutorial 2 Linux networking, sk_buff and stateless packet filtering

Agenda 1 Linux file system - networking 2 3 4 sk_buff Stateless packet filtering About next assignment 2

Agenda 1 Linux file system - networking 2 3 4 sk_buff Stateless packet filtering About next assignment 3

Linux networking Berkeley sockets library implemented in 1983 in Unix In time, become the standard networking interface in Unix and Windows (posix, winsock) First, a little reminder about how it all works Socket Interface BSD Socket INET Socket Protocol Layer Device Driver TCP UDP IP PPP SLIP Ethernet ARP 4

File Descriptor Abstract indicator for accessing a file Three standard streams: Every stream (fd) described as a file Unified API (kobject,inode,fops) for handle different stream s types Defined in linux/file.h struct fd { struct file *file; unsigned int flags; } 5

file (pointed from fd) Basic struct which holds all the information about a file in linux Includes the f_op to handle operations on the file (read,write,etc) Holds a pointer to the file s index node struct file { const struct file_operations *f_op f_dentry f_path.dentry } 6

Index node - inode struct used to represent a filesystem object, which can be file, a directory or a socket Holds a pointer socket interface structure struct inode {... union {... struct socket socket_i;... } u; }; 7

BSD socket interface and INET sock The socket structure holds all the information about the socket connection, type, state, flags, and most important: sock Sock is a huge struct (80-100 variables). Hold the data of the connection, and a pointer the packet structure sk_buff struct socket {... struct file *file; struct inode *inode; struct sock *sk;... }; struct sock {... struct sk_buff head; struct sk_buff next; struct sk_buff tail;... }; 8

Linux TCP/IP Networking Socket Interface BSD Socket INET Socket Protocol Layer Device Driver TCP UDP IP PPP SLIP Ethernet ARP 9

Agenda With Highlight 1 Linux file system - networking 2 3 4 sk_buff Stateless packet filtering About next assignment 10

Protocol Layer - sk_buff Defined in include/linux/skbuff.h The structure which de facto contains the packet (and its data) We will use it to access the packet data and meta data (layers headers) to determine the verdict of the packet according to our stateless rules and/or stateful inspect The netfilter give us, as an input to its hook functions, a pointer to the current packet s sk_buff structure hook_func(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) 11

Protocol Layer - sk_buff sock sk_buff next sk_buff sk_buff sk_buff sk_buff prev next next next next prev prev prev prev sk sk sk sk head data tail end packet 12

Protocol Layer - sk_buff struct sk_buff { /* These two members must be first. */ struct sk_buff *next; struct sk_buff *prev;... u16 transport_header; u16 network_header; u16 mac_header; /* These elements must be at the end... */ sk_buff_data_t tail; sk_buff_data_t end; unsigned char *head, *data;... }; sk_buff next prev head data tail end packet 13

sk_buff access the headers How can we access directly to the ip/tcp header? We can access directly from skb->data For example: protocol = *(( u8 *) (buffer->data + 9)); source_ip = *((unsigned int *)(buffer->data + 12)); dest_ip = *((unsigned int *)(buffer->data + 16)); source_port = (( be16 *)((unsigned char*) (&(buffer->data[4 * ((((unsigned char*)(buffer->data))[0]) & 0b00001111)]))))[0]; We can also use preset functions and Linux structures to get directly to important fields 14

sk_buff access the headers For example protocol = iphdr->protocol; source_ip = iphdr->saddr; dest_ip = iphdr->daddr; source_port = tcphdr->source; Choose your method wisely protocol = *(( u8 *) (buffer->data + 9)); source_ip = *((unsigned int *)(buffer->data + 12)); dest_ip = *((unsigned int *)(buffer->data + 16)); source_port = (( be16 *)((unsigned char*) (&(buffer->data[4 * ((((unsigned char*)(buffer->data))[0]) & 0b00001111)]))))[0]; 15

Access the headers So how do we set those headers? //from include/linux/ip.h static inline struct iphdr *ip_hdr(const struct sk_buff *skb) { return (struct iphdr *)skb_network_header(skb); } //from include/linux/skbuff.h static inline unsigned char *skb_network_header(const struct sk_buff *skb) { return skb->head + skb->network_header; } Same for tcphdr Each layer got the same macro with the same variable u16 transport_header; u16 network_header; u16 mac_header; 16

ip address structure ip address as we know it: 172.16.254.1 What does it means? When we realize what it is, we can easily convert and compare it to whatever we want. 17

Subnet mask ip address is logically divided to two parts: Network prefix. Host identifier. All host in the same network have the same network prefix 18

Network prefix length Usually instead of writing the ip address and subnet mask we will use shorten version of the two of them, using network prefix length For example, instead of: 192.168.5.130 and 255.255.255.0 we can write 192.168.5.130/24 /24 represent 24 bits of network. As we saw earlier: 255.255.255.0 = 11111111 11111111 11111111 00000000 We can just take the first 24 bits of the ip address and see the network part: 192.168.5.0 This network can support 2 (32 network prefix length) hosts 19

Network prefix length translation 20

Endianness In different architectures, there s a different order between the LSB (least significant byte) and the MSB (most significant byte) In particular, network structures use Big-Endian order, and x86 machines (like our vms) use Little-Endian order. In order to be able to transfer data between the network and the machine, we will use the following functions: u_long htonl(u_long); // host to network long (32 bits) u_short htons(u_short); // host to network short (16 bits) u_long ntohl(u_long); // network to host long (32 bits) u_short ntohs(u_short); // network to host short (16 bits) 21

Agenda With Highlight 1 Linux file system - networking 2 3 4 sk_buff Stateless packet filtering About next assignment 22

Agenda With Highlight 1 Linux file system - networking 2 3 4 sk_buff Stateless packet filtering About next assignment 23

About assignment 2 In this assignment you would start to create your true firewall The first step would be to think how to enforce rules Make sure you can access the data and have a way to reach the important fields Check the Internet for examples. You need to make sure you can work with an interface Create sysfs devices which would handle the rules table. Start the assignment early, it could take some time to get use to handle packets We re here for everything you need 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback