Programming implementation of firewall under Linux (1)
<< --- excerpt from the Green League magazine program firewall under >> Ninth ◆ linux achieve a Author: flag Home Page: http: //www.isbase.com Date: 2000-05-10 Foreword Linux brought ipchains as their own firewall tool. There are now many articles to introduce how to use ipchains to configure the Linux machine to firewall, but it seems that there is little article to introduce ipchains to be implemented, that is, how Linux implements firewall function. Linux does have its own practice, it defines its own interface library implemented for the firewall, and the firewall is implemented on the IP layer in the kernel. The following text is some of my understanding of the Linux firewall from the perspective of programming. One · Ipchains Introduction ipchains is Linux's firewall configuration tool, previously called IPFWADM, version update very fast, the current version number is 1.3.9. There is a "ipchains parameter introduction" on our website, introduced the use of Ipchains, please refer to. It is characterized by defining three chains, which are IPPUT, Forward, and Output chains, and then operate, such as adding deletion. Its features are very functional, allowing users to make a fine rule definition. The purpose of this paper is not to introduce ipchains's usage, this paragraph will be read. 2. Linux Firewall Implementation Analysis 1 · Basic knowledge TCP / IP protocol Processing The incoming message is putting the packets entering the interface in a buffer and is processed by the IP process. The IP layer is routed, the decision package is the route or send a socket to process. For the outgoing packet, the first socket is placed in the buffer in the buffer, and the IP process will be processed, and determine from that interface. These work is done by the kernel. It is the process of TCPIP protocol handling package text. 2 · Linux firewall analysis Linux firewall is written in the kernel, which is written in the IP protocol. Ipchains is just a command line program. Its role is to reach the rule table we wrote to reach a system understanding structure and then pass it to the kernel. . This is the work you do in Linux because there is no in the generic socket programming. Static int ipfwc_init () {ipfwc_fn = ipfwc_init; init = 1; return ((sockfd = socket (AF_INET, SOCKET (AF_INET, SOCK_RAW, IPPROTO_RAW))! = -1);} You can see that this is an original set, but please Note that the third parameter of Socket, the third parameter is not 0 when creating the original set of interfaces, for a common value, represents the protocol name, tells the system to accept what protocol for this interface. Specifically, this constant is defined in when the RFC is implemented. However, the constant of IPProto_raw represented by this article is 255, and the definition in the RFC is the retention item, and Linux uses this retention. When you have a socket with ipproto_raw; Static INTDO_SETSOCKOPT (INT CMD, Const Void * Data, INT Length {Return Setsockopt (SockFD, Ipproto_IP, CMD, (Char *) Data, Length)! = -1;} setsockopt can set Set of interface options, here, it is used to deliver a specific structure to the system, its meaning is that Linux defines an interface library, which allows us to operate the kernel to achieve the purpose of filtering. Such achievements greatly simplify the work of Ipchains and make the firewall efficient.
Three Example In order to verify the above view, I offer a small example, # include #include #include #include #include typedef char ip_chainlabel [9]; struct ip_fw {struct in_addr fw_src, fw_dst; / * Source and destination IP addr * / struct in_addr fw_smsk, fw_dmsk; / * Mask for src and dest IP addr * / __u32 FW_mark; / * id to stamp on packet * / __U16 fw_proto; / * protocol, 0 = any * / __U16 fw_flg; / * flags word * / __U16 fw_invflg; / * inverse flags * / __U16 fw_spts [2]; / * Source Port range. * / __U16 fw_dpts [2]; / * Destination port Range. * / __U16 fw_redirl; / _ port to redirect to. * / __U16 fw_outputsize; / * max amount to output to netlink * / char FW _vianame [IFNAMSIZ]; / * name of interface "via" * / __u8 fw_tosand, fw_tosxor; / * Revised packet priority * /}; struct ip_fwuser {struct ip_fw ipfw; ip_chainlabel label;}; struct ip_fwchange {struct ip_fwuser fwc_rule; ip_chainlabel fwc_label ;}; main (int argc, char ** argv) {static struct ip_fwchange new; struct ip_fwchange * new1; const char * srcpts = NULL, * dstpts = NULL; static int sockfd = -1; new1 = & new; if (argc ! = 2) {Printf ("USAGE: / n"); EXIT (1);} if ((SOCKFD = Sockt (AF_INET, SOCK_RAW, IPPROTO_RAW) ==
