Download as PDF, PPTX
![Custom Hook
unsigned int custom_hook(unsigned int hooknum,
struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff*))
{
Return [ NF_DROP | NF_ACCEPT | NF_QUEUE ];
}
25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 10](https://image.slidesharecdn.com/kernelprogramming-140825130516-phpapp01/85/netfilter-programming-10-320.jpg)
Uploaded byGopi Krishnan S
netfilter programming
This document provides an introduction to kernel module development in Linux. It discusses loading and unloading modules, the development process including using kernel headers and libraries, and examples of module applications like drivers and packet filtering. It also covers preparing the development system, writing a basic "hello world" module, building and running a module, using printk() for logging, packet mangling with Netfilter, and reading packet headers.
More Related Content
Similar to netfilter programming
netfilter programming
- 1. Introduction to KernelDevelopment Gopi Krishnan Society for Electronic Transactions & Security
- 2. Kernel Module Development ● Adding feature to kernel ● Loading & Unloading a module on Linux – Daemon Kmod – Command insmod, rmmod, lsmod, modprobe ● Development – Kernel headers – Standard Libraries ● Application – System level service – Device driver – Packet filtering & mangling 25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 2
- 3. Preparing Development System ● Using kernel came with distribution – Download and install package ● linux-headers-$(shell uname -r)-generic.{deb, rpm, ipk, tar} ● Using customized kernel or different kernel version – Install required build tools ● gcc, g++, make ● libncurses5 – Download required kernel from http://www.kernel.org – Deflate archive tar -xf linux-${version}.tar.gz – Navigate to kernel source tree and issue make command ● cd linux-${version} ● make menuconfig 25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 3
- 4. hello_kernel.c #include <linux/module.h> int init_module (void) { printk ("Hello!"); return 0; } void cleanup_module (void) { printk ("Goodbye!"); } 25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 4
- 5. Building & Runninga Module Makefile objm += hello_kernel.o all: make C /lib/modules/$(shell uname r)/ build M=$(PWD) modules clean: make C /lib/modules/$(shell uname r)/ build M=$(PWD) clean # make # insmod hello_kernel.ko # lsmod | grep hello_kernel.ko # rmmod hello_kernel 25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 5
- 6. printk() ● Similarto printf() in stdio.h ● Writes kernel log facility ● Severity – 0 Emergency KERN_EMERG – 1 Alert KERN_ALERT – 2 Critical KERN_CRIT – 3 Error KERN_ERR – 4 Warning KERN_WARNING – 5 Notice KERN_NOTICE – 6 Informational KERN_INFO – 7 Debug KERN_DEGUG 25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 6
- 7. hello_log_facility.c #include <linux/module.h> #include <linux/kernel.h> int init_module (void) { printk (KERN_ERR "Hello!"); return 0; } void cleanup_module (void) { printk (KERN_ERR "Goodbye!"); } 25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 7
- 8. Packet Mangling withNetfilter Framework ● Netfilter is collection of hooks in Linux network stack ● A packet can be dropped or mangled traversing through this framework 25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 8
- 9. Netfilter Module #include<linux/module.h> #include <linux/kernel.h> #include <linux/netfilter.h> #include <linux/netfilter_ipv4.h> static struct nf_hook_ops pkt_ctrl; int init_module (void) { pkt_ctrl.hook = custom_hook; pkt_ctrl.pf = PF_INET; pkt_ctrl.hooknum = NF_INET_PRE_ROUTING; pkt_ctrl.priority = NF_IP_PRI_FIRST; nf_register_hook (&pkt_ctrl); return 0; } void cleanup_module (void) { nf_unregister_hook (&pkt_ctrl); } 25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 9
- 10. Custom Hook unsignedint custom_hook(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff*)) { Return [ NF_DROP | NF_ACCEPT | NF_QUEUE ]; } 25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 10
- 11. Reading Headers ●IP Header – struct iphdr *pkt_ip; – pkt_ip = (struct iphdr *)skb_network_header(skb); ● TCP Header – struct tcphdr *pkt_tcp; – pkt_tcp = (struct tcphdr *)(skb_network_header(skb) + ip_hdrlen(skb)); 25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 11
- 12. Detailed Netfilter Traversal 25.08.14 Gopi Krishnan, Society for Electronic Transactions & Security 12
- 13. Thank You 25.08.14Gopi Krishnan, Society for Electronic Transactions & Security 13