What is Netfilter. Netfilter. Topics

Similar documents
Netfilter & Packet Dropping

Linux IP Networking. Antonio Salueña

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Netfilter Connection Tracking and NAT Implementation

EVASIVE INTERNET PROTOCOL: END TO END PERFORMANCE

To Prevent IP Source Address Spoofing

IPtables and Netfilter

The Research and Application of Firewall based on Netfilter

Packet Aggregation in Linux

Once Only Drop Capability in the Linux Routing Software

Writing your own netfilter match

Netfilter. Netfilter Frameworks CHAPTER 9

Proxies in PromethOS. Gabriel Mueller. Semester Thesis SA th October 2006

netfilters connection tracking subsystem

The Linux Network Subsystem

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

Tutorial 2. Linux networking, sk_buff and stateless packet filtering. Roei Ben-Harush Check Point Software Technologies Ltd.

What is an L3 Master Device?

Suricata IDPS and Nftables: The Mixed Mode

Xtables2: Love for blobs

CSC 474/574 Information Systems Security

High Speed Packet Filtering on Linux

A 10 years journey in Linux firewalling Pass the Salt, summer 2018 Lille, France Pablo Neira Ayuso

A proposed architecture for integrating Active Networks and MPLS 2 BACKGROUND

Operating Systems. 17. Sockets. Paul Krzyzanowski. Rutgers University. Spring /6/ Paul Krzyzanowski

Building socket-aware BPF programs

libnetfilter_log Reference Manual

Evaluating the performance of Netfilter architecture in Private Realm Gateway

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

We are IntechOpen, the first native scientific publisher of Open Access books. International authors and editors. Our authors are among the TOP 1%

Lecture 1. Virtualization, Linux kernel (modules and networking) and Netfilter Winter 15/16. Roei Ben-Harush 2015

Modern Computer Networks. Chapter 7: Network Security Modern Computer Networks 1

python-iptables Documentation

MONSTER. Managing an Operator s Network with Software Defined Networking and Segment Routing. Ing. Luca Davoli

Netfilter updates since last NetDev. NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso

Linux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples

Netfilter updates since last NetDev. NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso

Design and implementation of packet filtering algorithm in 6LoWPAN access Internet

jelly-near jelly-far

This talk is not about XDP: From Resource Limits to SKB Lists. David S. Miller, Vancouver, 2018

DPDK+eBPF KONSTANTIN ANANYEV INTEL

Host Identifier and Local Locator for Mobile Oriented Future Internet: Implementation Perspective

Accelerating Load Balancing programs using HW- Based Hints in XDP

MANAGING THE CAR CLOUD CONNECTION.

Laboratoire LSR Logiciels Systèmes Réseaux. Nguyen Hoa Binh LSR-IMAG Grenoble

Worksheet 8. Linux as a router, packet filtering, traffic shaping

Network security Exercise 9 How to build a wall of fire Linux Netfilter

XDP in Practice DDoS Gilberto Bertin

Implementing ZigBee assisted power management for delay bounded communication on mobile devices

Dropping Packets in Ubuntu Linux using tc and iptables

What is a Linux Device Driver? Kevin Dankwardt, Ph.D. VP Technology Open Source Careers

I/O Management Software. Chapter 5

VoIP Communications over WLANs

System Services for Ad-Hoc Routing: Architecture, Implementation and Experiences

AODV Implementation Design and Performance Evaluation

CS Computer and Network Security: Firewalls

{ } Embedded Montreal Meetup. Char *lecture = Lecture 2 Deep Packet Inspection in Userspace ;

nftables switchdev support

Operating System Modifications for User-Oriented Addressing Model

Network and Filesystem Security

Network Security Fundamentals

An Analysis of Linux Scalability to Many Cores

CS333 Intro to Operating Systems. Jonathan Walpole

Performance of Wireless IEEE e-Based Devices with Multiple Hardware Queues

Networking Subsystem in Linux. Manoj Naik IBM Almaden Research Center

Università Ca Foscari Venezia

nftables, far more than %s/ip/nf/g

Scalable Linux Scheduling (Paper # 9)

rtnl mutex, the network stack big kernel lock

itmbench: Generalized API for Internet Traffic Managers

Linux Kernel Application Interface

PEPsal: A TCP Performance Enhancing Proxy for Satellite Links

A practical introduction to XDP

LOCKDEP, AN INSIDE OUT PERSPECTIVE. Nahim El

Cisco PCP-PNR Port Usage Information

Linux Kernel Networking

Networking in a Vertically Scaled World

Dual-stack Firewalling with husk

How To Write a Linux Security Module That Makes Sense For You. Casey Schaufler February 2016

CS 378 (Spring 2003)

Operating Systems. IV. Memory Management

Using Time Division Multiplexing to support Real-time Networking on Ethernet

OpenDataPlane: network packet journey

[08] IO SUBSYSTEM 1. 1

Combining ktls and BPF for Introspection and Policy Enforcement

Principles of Operating Systems CS 446/646

Android Upstreaming: Netfilter, Status & Discussion. John Stultz & Mathieu Poirier, LCA14-503, Macau

Implementing the Wireless Token Ring Protocol As a Linux Kernel Module

Packet Sniffing and Spoofing

XDP in practice: integrating XDP into our DDoS mitigation pipeline

PROCESS MANAGEMENT. Operating Systems 2015 Spring by Euiseong Seo

Network Performance BoF

Linux Network Programming with P4. Linux Plumbers 2018 Fabian Ruffy, William Tu, Mihai Budiu VMware Inc. and University of British Columbia

Asynchronous Events on Linux

Linux System Administration, level 2

Research on IOT Intelligent Gateway Service Mechanism and System Implementation

Certification. Securing Networks

itmbench: Generalized API for Internet Traffic Managers

Bringing the Power of ebpf to Open vswitch. Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.

Lecture 3: Processes. CMPUT 379, Section A1, Winter 2014 January 13, 15 and 17

Transcription:

Netfilter By V.R.Sundar & Karthik Dantu What is Netfilter netfilter is a framework for packet mangling, outside the normal Berkeley socket interface. Using this framework various modules have been written including an extensible NAT system and an extensible packet filtering system Topics netfilter overview iptables overview netfilter & iptable implementation details with ipv4 & packet filtering as examples netfilter has three parts : I. Each protocol defines hooks Hooks are well defined points in a packet s traversal of that protocol s stack. The protocol code jumps into netfilter when it hits the hook-point during a packet s traversal through the protocol II. Kernel modules can register to listen at any of the different hooks for each protocol. When registering, module must set the priority of the function within the hook netfilter hook is called from the core networking code The corresponding packet is passed to it Each module registered for that hook is called in the order of priorites, and is free to manipulate the packet. The module can tell netfilter to do one of five things: 1. NF_ACCEPT: continue traversal as normal 2. NF_DROP: drop the packet; don't continue traversal. 3. NF_STOLEN: I've taken over the packet; don't continue traversal. 4. NF_QUEUE: queue the packet (usually for userspace handling). 5. NF_REPEAT: call this hook again. 1

III. Packets that have been queued are collected (by the ip_queue driver) for sending to userspace; these packets are handled asynchronously. Example IPV4 defines 5 hooks. A packet traverses the netfilter system as shown [0] [route] [2] [4] [route] [1] [3] To summarize: Hook No 0 1 2 3 4 Name NF_IP_PRE_ROUTING NF_IP_LOCAL_IN NF_IP_FORWARD NF_IP_LOCAL_OUT NF_IP_POST_ROUTING netfilter is the glue code between the protocol hooks and the kernel modules that want to process packets at these hooks. Control jumps from the protocol code to the netfilter code to the various modules registered and then flows back IPTables overview IPTables is a packet selection system that has been built over the netfilter framework Provides a named array of rules in memory along with information as to where packets for a particular hook should begin traversal and various helper routines to traverse them What is a rule? A rule is the set of conditions to be matched and the corresponding actions to be taken Each hook has a list of rules called chains Kernel modules can register a new table, and ask for a packet to traverse a given table Example tables: filter for packet filtering mangle for packet mangling nat for network address translation. These are defined by default and cannot be removed. ( see net/ipv4/netfilter/ip_tables.c) 2

iptable netfilter interaction iptables does not register with any netfilter hooks. It relies on the modules that use it to do that and feed it the packets as appropriate. A module must register the netfilter hooks and iptables separately, and provide the mechanism to call iptables when the hook is reached. There is a iptables tool which can be used to control the packet filtering. Example: $iptables A INPUT s 127.0.0.1 p icmp j drop netfilter implementation Main data structures struct list_head nf_hooks[nproto][nf_max_hooks]; A 2-dim array where each element is the head of a circular list. Uses the list implementation of linux to manage circular lists. struct list_head { struct list_head *next, *prev; Objects of type nf_hook_ops are hooked into the chain using the list_head element at the head of it through the list.h helper functions struct nf_hook_ops { struct list_head list; /* User fills in from here down. */ nf_hookfn *hook; int pf; int hooknum; /* Hooks are ordered in ascending priority. */ int priority; This creates a 2-dimensional array of circular linked lists indexed by (protocol number, hook number ) Example nf_hooks[pf_inet][nf_ip_local_in] is the head of the circualar list for hook 1 ( local input hook). Traverse this list using element list of nf_hook_ops structure Access registered hook functions through element hook nf_register_hook registers a module nf_unregister_hook unregisters a module These two are called by the modules that want to use netfilter nf_hook_slow is the interface between networking code and netfilter. ( Through macro NF_HOOK) Example: In file net/ipv4/ip_input.c int ip_local_deliver(struct sk_buff *skb) { return NF_HOOK(PF_INET,NF_IP_LOCAL_IN, skb, skb->dev, NULL,ip_local_deliver_finish); } nf_iterate iterates through the modules registered. Called from nf_hook_slow iptables iptables is a collection of tables along with the utility functions to manipulate those Each table is a collection of rules for the various hooks that table is used for and is represented by struct ipt_table { struct list_head list; char name[ipt_table_maxnamelen]; struct ipt_replace *table; unsigned int valid_hooks; rwlock_t lock; struct ipt_table_info *private; 3

ipt_table does not store rules directly Uses the private element struct ipt_table_info { unsigned int size; unsigned int number; unsigned int hook_entry[nf_ip_numhooks]; unsigned int underflow[nf_ip_numhooks]; char entries[0] attribute ((aligned(smp_cache_bytes))); ipt_table_info too does not have any space for entried Some interesting members are hook_entry: offsets to the start of the rules for the various hooks entries: a zero size element at the end essentially pointing to the end of the structure These two together are used to created and traverse the rules. translate_table copies the list of rules immediately after the ipt_table_info structure The top of the list is now available through the entries element hook_entry array elements are set up with the offset to the beginning of the corresponding hook s rules ipt_table entries ipt_table_info rules A rule is combination of 3 data structures struct ipt_entry struct ipt_entry_match struct ipt_entry_target The ipt_entry structure contains the criteria that is to be matched The ipt_entry_match and ipt_entry_target structures are similar and contain match/target functions to be called struct ipt_entry { struct ipt_ip ip; unsigned int nfcache; u_int16_t target_offset; u_int16_t next_offset; unsigned int comefrom; struct ipt_counters counters; unsigned char elems[0]; 4

struct ipt_entry_match { union { char name[ipt_function_maxnamelen]; } user; struct ipt_match *match; } kernel; } u; unsigned char data[0]; struct ipt_entry_target { union { char name[ipt_function_maxnamelen]; } user; struct ipt_target *target; } kernel; } u; unsigned char data[0]; A rule looks like next_offset target_offset 1 ipt_entry 0 or more ipt_entry_matches for that entry 0 or more ipt_entry_targets for that entry A table is registered through a call to ipt_register_table. This in turn calls translate_table which sets up the ipt_table_info structure after error checking Makes one copy of the rules per cpu. To iterate through a table helper macros are defined IPT_ENTRY_ITERATE IPT_MATCH_ITERATE IPT_TARGET_ITERATE http://netfilter.samba.org 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback