Linux firewall program design author: Zhao Zhiang
In early February this year, famous business websites such as Yahoo, eBay, Cnn.com, Amazon, Buy.com and E * Trade were continuously attacked, causing billions of dollars in losses, once again sounded again. Not safe alarm. The firewall is an important means of ensuring network security as a mechanism for enforcing access controls between networks or systems. At present, there are many firewalls in various commercial products in society, and it is very functional. We have no matter how the price of these firewall products is concerned that they pay attention to the versatility and compatibility of the product in the development and design, consider more market and profits, so it is not necessarily suitable for certain special applications. If the user can combine the general theory and method of the firewall design with its own actual needs, design some small and fine, strong firewall procedures, often can play more than spending big price. Universal firewall better role. Due to the limited space limit, this paper cannot be discussed in-depth discussion on the general theory and structure of the firewall, so only the Linux system is used as an example, and the design method of the firewall program is specifically described. I. Looking at the Linux network to write a firewall program from a program design perspective and does not necessarily require how profound understanding of the Linux network, just need to understand such a mechanism in the network core, that is, the kernel can automatically call the user-written firewall program. And based on the results returned by this firewall program to determine the processing strategy for sending and receiving the network. This can be seen from Figure 1. Second, how to register your own firewall programs to the kernel we have known that the kernel automatically calls the user-written firewall program in the network layer. But there is a prerequisite that the user must register the firewall program written by himself into the kernel. For the writing method of the Linux kernel driver, see the article "LINUX Device Driver Design Example" in the fourth phase of this article. The kernel provides the firewall registration and unloading function, respectively, respectively_firewall, and unregister_firewall, see FireWall.c. 1. The REGISTER_FIREWALL function prototype is as follows: int REGISTER_FIREWALL (INT PF, STRUCT FIREWALL_OPS * FW) Return Value: 0 The representative is successful, less than 0 means unsuccessful. Parameters: * Protocol Sign PF, the main value and its representative agreement is as follows: 2 represents the IPv4 protocol, 4 represents the IPX protocol, 10 represents IPv6 protocols. * Fw parameter structure is defined as follows: struct firewall_ops {struct firewall_ops * next; int (* fw_forward) (struct firewall_ops * this, int pf, struct device * dev, void * phdr, void * arg, struct sk_buff ** pskb); int (* fw_input) (struct firewall_ops * this, int pf, struct device * dev, void * phdr, void * arg, struct sk_buff ** pskb); int (* fw_output) (struct firewall_ops * this, int pf, struct device * DEV, VOID * PHDR, VOID * ARG, STRUCT SK_BUFF ** PSKB); INT FW_PF; INT FW_PRIORITY;}; structural NEXT domain will be modified by the kernel to point to the next firewall module. The FW_PF domain is the protocol flag, the meaning is the same. Fw_priority specifies the priority, generally more greater than 0. FW_INPUT, FW_OUTPUT, FW_FORWARD are the firewall function modules written by the user, and the kernel will call these modules when receiving the network newspapers and send a network report, which will be discussed in detail later.
2, unregister_firewall unregister_firewall prototype instructions and call methods are REGISTER_FIREWALL. Third, the design of the firewall function module 1. The return value of the firewall function module is crucial, the kernel will determine the processing strategy adopted on the network datagram according to it. The main return value and significance are as follows: 0 and 1 Notification of the network report. -1 Notification The network is kept the network and sends an unacceptable network control (ICMP packet). 2 Notify the internal nuclear recognition. 2. Entrance parameters of each module function * Parameters this point to the FW parameter structure in Register_FireWall. * Parameter PF means the PF parameters in the register_firewall. * Parameters DEV DEV is a pointer to the data structure Device. In the Linux system, each network device is described in the Device data structure. During the system boot, the network device driver to Linux registration device information, such as device name, device's I / O base address, device interrupt number, network card 48-bit hardware address, etc., the Device data structure includes these device information and device services. The address of the function. See NetDevice.h header files for more information on the Device structure. * Parameters PHDR This parameter points to the first location of the link layer datagram header. * Parameter Arg Use this parameter to deliver information to kernel, such as the port number when redirecting. * Parameter PSKB This parameter is a pointer to the SK_BUFF structure pointer. In Linux, all network data is transmitted and received with a SK_BUFF data structure. A DEVICE address, a transport layer, a network layer, a link layer protocol header address, and the like of the corresponding device structure are included in the SK_BUFF data structure. See Skbuff.h header files for definitions of SK_Buff. 3. The firewall program example is given below to give a simple firewall program. It is assumed here to understand that the reader has a certain understanding of the common protocols such as the Ether Agreement, IP protocol, TCP protocol. After compiling with the command line "gcc -wall -o2 -c myfirewall.c", after loading the program with the Insmod command, the system will only respond to access to the 80 port of the external network with the TCP protocol. To allow the system to restore the original features, you can use the RMMOD command to uninstall the program, and the source code sees the same name on the website www.pcboPuting.com.cn. // myfirewall.c Written on March 7, 2000 # ifndef __kernel__ # define __kernel__ // Compile #Endif #ifndef module by kernel module # Define module // Compile #ENDIF # include // Most core core Module header file
#include
#include
// The most basic kernel module header file
#include
#include
#include
#include
#include
#include
#include
#include
#define SOL_ICMP 1
#define permit_port 80 // only allows access to the 80 port of TCP
INT ZZL_INPUT (Struct Firewall_ops * this, int Pf, Struct Device * dev,
Void * phdr, void * arg, struct SK_Buff ** PSKB)
{// Whenever a network is received, this function will be called by the kernel.
Struct TCPHDR * TCPH; / / TCP head pointer
Struct iphdr * iph; // ip head pointer
Struct SK_Buff * SKB = * PSKB;
IF (SKB-> Protocol == HTONS (Eth_P_ARP)) {
Printk ("/ NPERMIT A ARP PACKET");
Return FW_ACCEPT; / / Allow Address Resolution Protocol
}
IF (SKB-> Protocol == Htons (Eth_P_RARP)) {Printk ("/ NPERMIT A RARP PACKET");
Return fw_accept; // Allows the reverse address analysis agreement
}
IF (SKB-> Protocol == HTONS (Eth_P_IP))
{
IPH = SKB-> NH.IPH;
IF (iPh-> protocol == SOL_ICMP)
{
Printk ("/ NPERMIT A ICMP Packet");
Return fw_accept; // Allow network control newspaper
}
IF (iPh-> protocol == sol_tcp) {
TCPH = SKB-> H.TH;
IF (TCPH-> DEST == permit_port) {
Printk ("/ NPERMIT A VALID Access");
Return fw_accept; // Allows access to TCP port 80
}
}
}
Return fw_reject; // Do not prohibit all other access to this computer
}
INT ZZL_OUTPUT (Struct FireWall_ops * this, int Pf, Struct Device * dev,
Void * phdr, void * arg, struct SK_Buff ** PSKB)
{// Program writing method with zzl_input function module
Printk ("/ NZZL_OUTPUT IS CALLED");
Return fw_skip;
}
INT ZZL_FOREWARD (Struct FireWall_Ops * this, int Pf, Struct Device * dev,
Void * phdr, void * arg, struct SK_Buff ** PSKB)
{// Program writing method with zzl_input function module
Printk ("/ NZZL_FOREWARD IS CALLED");
Return fw_skip;
}
Struct firewall_ops zzl_ops =
{
NULL,
ZZL_FOREWARD,
ZZL_INPUT,
ZZL_Output,
PF_INET,
01
}
INT init_module (void)
{
IF (register_firewall (pf_inet, & zzl_ops)! = 0)
{
Printk ("/ NUNABLE REGISTER FIREWALL");
Return -1;
}
Printk ("/ NZZL_OPS =% P", & zzl_ops);
Return 0;
}
Void Cleanup_Module (Void)
{
Printk ("unload / n");
Unregister_firewall (PF_INET, & ZZL_OPS);
}
(Author Address: No. 4, No. 4, North Third Ring Road, Beijing, China
