laforge
/
laforge-slides
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
laforge-slides/2003/netfilter-programming-ols2003/netfilter-programming-ols20...

616 lines
18 KiB
Plaintext
Raw Blame History

%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
#%deffont "typewriter" tfont "MONOTYPE.TTF"
%page
%nodefault
%back "blue"
%center
%size 7
Developing netfilter/iptables
extensions
%center
%size 4
by
Harald Welte <laforge@netfilter.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Contents
Introduction
The netfilter/iptables architecture
Netfilter hooks in protocol stacks
Packet selection based on IP Tables
The Connection Tracking Subsystem
The NAT Subsystem based on netfilter + iptables
Packet filtering using the 'filter' table
Packet mangling using the 'mangle' table
Advanced netfilter concepts
Current development and Future
Developing a netfilter module
Developing a new iptables match
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Netfilter Hooks
What is netfilter?
System of callback functions within network stack
Callback function to be called for every packet traversing certain point (hook) within network stack
Protocol independent framework
Hooks in layer 3 stacks (IPv4, IPv6, DECnet, ARP)
Multiple kernel modules can register with each of the hooks
Asynchronous packet handling in userspace (ip_queue)
Traditional packet filtering, NAT, ... is implemented on top of this framework
Can be used for other stuff interfacing with the core network stack, like DECnet routing daemon.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Netfilter Hooks
Netfilter architecture in IPv4
%font "typewriter"
%size 3
--->[1]--->[ROUTE]--->[3]--->[4]--->
| ^
| |
| [ROUTE]
v |
[2] [5]
| ^
| |
v |
%font "standard"
1=NF_IP_PRE_ROUTING
2=NF_IP_LOCAL_IN
3=NF_IP_FORWARD
4=NF_IP_POST_ROUTING
5=NF_IP_LOCAL_OUT
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Netfilter Hooks
Netfilter Hooks
Any kernel module may register a callback function at any of the hooks
The module has to return one of the following constants
NF_ACCEPT continue traversal as normal
NF_DROP drop the packet, do not continue
NF_STOLEN I've taken over the packet do not continue
NF_QUEUE enqueue packet to userspace
NF_REPEAT call this hook again
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Developing netfilter/iptables extensions
Developing a netfilter module
Netfilter modules are very low-layer
Get called for every packet passing the hook in this l3prot
Examples of netfilter modules are: ip_tables, ip_conntrack, iptable_nat
%font "typewriter"
%size 2
#include <linux/netfilter.h>
%size 2
nf_register_hook(struct nf_hook_ops *reg)
%size 2
nf_unregister_hook(struct nf_hook_ops *reg)
%size 2
struct nf_hook_ops:
%size 2
struct list_head list; /* list header */
%size 2
nf_hookfn *hook; /* the callback function */
%size 2
int pf; /* protocol family */
%size 2
int hooknum; /* hook to register with */
%size 2
int priority; /* priority (ordering) */
%font "standard"
Example code see "nf_workshop.c"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
IP tables
Packet selection using IP tables
The kernel provides generic IP tables support
Each kernel module may create it's own IP table
The three major parts of 2.4 firewalling subsystem are implemented using IP tables
Packet filtering table 'filter'
NAT table 'nat'
Packet mangling table 'mangle'
Could potentially be used for other stuff, i.e. IPsec SPDB
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
IP Tables
Managing chains and tables
An IP table consists out of multiple chains
A chain consists out of a list of rules
Every single rule in a chain consists out of
match[es] (rule executed if all matches true)
target (what to do if the rule is matched)
%size 4
matches and targets can either be builtin or implemented as kernel modules
%size 5
The userspace tool iptables is used to control IP tables
handles all different kinds of IP tables
supports a plugin/shlib interface for target/match specific options
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
IP Tables
Basic iptables commands
To build a complete iptables command, we must specify
which table to work with
which chain in this table to use
an operation (insert, add, delete, modify)
one or more matches (optional)
a target
The syntax is
%font "typewriter"
%size 3
iptables -t table -Operation chain -j target match(es)
%font "standard"
%size 5
Example:
%font "typewriter"
%size 3
iptables -t filter -A INPUT -j ACCEPT -p tcp --dport smtp
%font "standard"
%size 5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
IP Tables
Matches
Basic matches
-p protocol (tcp/udp/icmp/...)
-s source address (ip/mask)
-d destination address (ip/mask)
-i incoming interface
-o outgoing interface
Match extensions (examples)
tcp/udp TCP/udp source/destination port
icmp ICMP code/type
ah/esp AH/ESP SPID match
mac source MAC address
mark nfmark
length match on length of packet
limit rate limiting (n packets per timeframe)
owner owner uid of the socket sending the packet
tos TOS field of IP header
ttl TTL field of IP header
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
IP Tables
Targets
very dependent on the particular table.
Table specific targets will be discussed later
Generic Targets, always available
ACCEPT accept packet within chain
DROP silently drop packet
QUEUE enqueue packet to userspace
LOG log packet via syslog
ULOG log packet via ulogd
RETURN return to previous (calling) chain
foobar jump to user defined chain
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Packet Filtering
Overview
Implemented as 'filter' table
Registers with three netfilter hooks
NF_IP_LOCAL_IN (packets destined for the local host)
NF_IP_FORWARD (packets forwarded by local host)
NF_IP_LOCAL_OUT (packets from the local host)
Each of the three hooks has attached one chain (INPUT, FORWARD, OUTPUT)
Every packet passes exactly one of the three chains. Note that this is very different compared to the old 2.2.x ipchains behaviour.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Packet Filtering
Targets available within 'filter' table
Builtin Targets to be used in filter table
ACCEPT accept the packet
DROP silently drop the packet
QUEUE enqueue packet to userspace
RETURN return to previous (calling) chain
foobar user defined chain
Targets implemented as loadable modules
REJECT drop the packet but inform sender
MIRROR change source/destination IP and resend
LOG log via syslog
ULOG log via userspace
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Developing netfilter/iptables extensions
Developing an ip_tables match module
ip_tables modules are at a high layer
Get called for every packet iterating a rule with this match
Examples of iptables modules are: ipt_ttl, ipt_tos, ipt_tcpmss
%font "typewriter"
%size 2
#include <linux/netfilter_ipv4/ip_tables.h>
%size 2
ipt_register_match(struct ipt_match *match)
%size 2
ipt_unregister_match(struct ipt_match *match)
%size 2
struct ipt_match:
%size 2
struct list_head list; /* list header {NULL,NULL} */
%size 2
const char name[]; /* name of the match */
%size 2
int (*match); /* called when pkt is matched */
%size 2
int (*checkentry); /* called when entry inserted */
%size 2
void (*destroy); /* called when entry deleted */
%size 2
struct module *me; /* set to THIS_MODULE */
%font "standard"
Example code see "ipt_workshop.c"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Developing netfilter/iptables extensions
Developing an iptables match module
Something has to parse the commandline options for ipt_workshop.c
Solution: libpt_workshop.c as iptables plugin
%font "typewriter"
%size 2
#include <iptables.h>:
%size 2
register_match(struct iptables_match)
%size 2
struct iptables_match:
%size 2
struct iptables_match *next; /* next one */
%size 2
ipt_chainlabel name; /* name */
%size 2
const char *version; /* version */
%size 2
size_t size; /* size of match data */
%size 2
size_t userspacesize; /* size for userspace */
%size 2
void (*help); /* print help message */
%size 2
void (*init); /* init the matchinfo */
%size 2
int (*parse); /* parse getopt chars */
%size 2
void (*final_check); /* consistency check */
%size 2
void (*print); /* print (iptables -L) */
%size 2
void (*save); /* iptables-save */
%size 2
struct option extra_opts; /* getopt-style opts */
%font "typewriter"
Example code see "libipt_workshop.c"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Connection Tracking Subsystem
Connection tracking...
implemented seperately from NAT
enables stateful filtering
implementation
hooks into NF_IP_PRE_ROUTING to track packets
hooks into NF_IP_POST_ROUTING and NF_IP_LOCAL_IN to see if packet passed filtering rules
protocol modules (currently TCP/UDP/ICMP)
application helpers currently (FTP,IRC,H.323,talk,SNMP)
divides packets in the following four categories
NEW - would establish new connection
ESTABLISHED - part of already established connection
RELATED - is related to established connection
INVALID - (multicast, errors...)
does _NOT_ filter packets itself
can be utilized by iptables using the 'state' match
is used by NAT Subsystem
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Connection Tracking Subsystem
Common structures
struct ip_conntrack_tuple, representing unidirectional flow
layer 3 src + dst
layer 4 protocol
layer 4 src + dst
connetions represented as struct ip_conntrack
original tuple
reply tuple
timeout
l4 state private data
app helper
app helper private data
expected connections
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Connection Tracking Subsystem
Flow of events for new packet
packet enters NF_IP_PRE_ROUTING
tuple is derived from packet
lookup conntrack hash table with hash(tuple) -> fails
new ip_conntrack is allocated
fill in original and reply == inverted(original) tuple
initialize timer
assign app helper if applicable
see if we've been expected -> fails
call layer 4 helper 'new' function
...
packet enters NF_IP_POST_ROUTING
do hashtable lookup for packet -> fails
place struct ip_conntrack in hashtable
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Connection Tracking Subsystem
Flow of events for packet part of existing connection
packet enters NF_IP_PRE_ROUTING
tuple is derived from packet
lookup conntrack hash table with hash(tuple)
assosiate conntrack entry with skb->nfct
call l4 protocol helper 'packet' function
do l4 state tracking
update timeouts as needed [i.e. TCP TIME_WAIT,...]
...
packet enters NF_IP_POST_ROUTING
do hashtable lookup for packet -> succeds
do nothing else
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Writing extensions for the conntrack subsystem
new l4 protocol modules are very rare
more common: application helpers for ftp,irc,h.323,quake,mms,...
API for conntrack helper modules:
%font "typewriter"
%size 2
#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
%size 2
struct ip_conntrack_helper
%size 2
struct list_head *list;
%size 2
const char *name;
%size 2
unsigned char flags;
%size 2
struct module *me;
%size 2
unsigned int max_expected;
%size 2
unsigned int timeout;
%size 2
struct ip_conntrack_tuple tuple;
%size 2
struct ip_conntrack_mask mask;
%size 2
int (*help)(const struct iphdr *iph, size_t, struct ip_conntrack, enum ip_conntrack_info);
%size 2
int ip_conntrack_helper_register(struct ip_conntrack_helper);
%size 2
void ip_conntrack_helper_unregister(struct ip_conntrack_helper);
%size 2
int ip_conntrack_expect_related(struct ip_conntrack, struct ip_conntrack_expect);
%size 2
int ip_conntrack_change_expect(struct ip_conntrack_expect, struct ip_conntrack_tuple);
%size 2
void ip_conntrack_unexpect_related(struct ip_conntrack_expect);
%font "standard"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Network Address Translation
Overview
Previous Linux Kernels only implemented one special case of NAT: Masquerading
Linux 2.4.x can do any kind of NAT.
NAT subsystem implemented on top of netfilter, iptables and conntrack
NAT subsystem registers with all five netfilter hooks
'nat' Table registers chains PREROUTING, POSTROUTING and OUTPUT
Following targets available within 'nat' Table
SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
MASQUERADE is a special case of SNAT
REDIRECT is a special case of DNAT
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Network Address Translation
flow of events for NEW packet:
packet enters NF_IP_PRE_ROUTING after conntrack
resolve conntrack entry for packet
if (expectfn of helper) call it
else iterate over rules in PREROUTING chain of nat table
save respective NAT mappings in conntrack
apply the NAT mappings to the packet
call NAT helper function, if there is one for this proto
...
packet enters NF_IP_POST_ROUTING
resolve conntrack entry for packet
iterate over rules in POSTROUTING chain of nat table
save respectiva NAT mappings in conntrack
apply the NAT mappings to the packet
call NAT helper function, if there is one for this proto
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Network Address Translation
flow of events for ESTABLISHED packets:
packet enters NF_IP_PRE_ROUTING after conntrack
reseolve conntrack entry for packet
apply the NAT mappings (read from conntrack entry) to the packet
call NAT helper function, if there is one for this proto
...
packet enters NF_IP_POST_ROUTING
resolve conntrack entry for packet
apply the NAT mappings (read from conntrack entry) to the packet
call NAT helper function, if there is one for this proto
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Developing a NAT helper module
Network Address Translation
%font "typewriter"
%size 2
#include <linux/netfilter_ipv4/ip_nat_helper.h>
%size 2
struct ip_nat_helper
%size 2
struct list_head list;
%size 2
const char *name;
%size 2
unsigned char *flags;
%size 2
struct module *me;
%size 2
struct ip_conntrack_tuple tuple;
%size 2
struct ip_conntrack_tuple mask;
%size 2
unsigned int (*help)(struct ip_conntrack *, struct ip_conntrack_expect *, struct ip_nat_info *, enum ip_conntrack_info, unsigned int hooknum, struct sk_buff **)
%size 2
unsigned int (*expect)(struct sk_buff **, unsigned int hooknum, struct ip_conntrack, struct ip_nat_info *)
%size 2
int ip_nat_helper_register(struct ip_nat_helper *);
%size 2
void ip_nat_helper_unregister(struct ip_nat_helper *);
%size 2
int ip_nat_mangle_tcp_packet();
%size 2
int ip_nat_mangle_udp_packet();
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables architecture
Advanced Netfilter concepts
%size 4
Userspace logging
flexible replacement for old syslog-based logging
packets to userspace via multicast netlink sockets
easy-to-use library (libipulog)
plugin-extensible userspace logging daemon (ulogd)
Can even be used to directly log into MySQL
Queuing
reliable asynchronous packet handling
packets to userspace via unicast netlink socket
easy-to-use library (libipq)
provides Perl bindings
experimental queue multiplex daemon (ipqmpd)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Developing netfilter/iptables extensions
Thanks
The slides and the an according paper of this presentation are available at http://www.gnumonks.org/
The netfilter homepage: http://www.netfilter.org/
Thanks to
the BBS people, Z-Netz, FIDO, ...
for heavily increasing my computer usage in 1992
KNF
for bringing me in touch with the internet as early as 1994
for providing a playground for technical people
for telling me about the existance of Linux!
Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
for implementing (one of?) the world's best TCP/IP stacks
Paul 'Rusty' Russell
for starting the netfilter/iptables project
for trusting me to maintain it today
Astaro AG (http://www.astaro.com/)
for sponsoring parts of my netfilter work
for sponsoring my travel cost to OLS
View Git Blame Copy Permalink