OSLab
Operating Systems Lab Resources

Netfilters

Assigned: 11/27/06 Due: 12/08/06

Objective

In this lab you will write a simple netfilter module which tracks packets but does not modify or reroute them. In particular, your module will need to do the following:

• examine all packets entering and leaving the system
• keep a list of all external IP addresses seen. (Note that this list may grow without bounds, so you need a mechanism to throw out entries)
• for each external address, keep counts of the number of packets received from that address and the number sent to it
• provide a /proc file interface that allows the current IP list and corresponding counters to be retrieved.

Documentation and Resources:

Some resources which might be helpful are:

• KernelCorner: Writing your own netfilter match
• Linux netfilter Hacking HOWTO

Note that you will need to enable iptables and IPv4 packet filtering support in the kernel - the options for this are

     [*] Networking support 
           Networking options  ---> 

     [*] Network packet filtering (replaces ipchains)  ---> 

         IP: Netfilter Configuration  ---> 

     < > Connection tracking (required for masq/NAT)
     < > IP Userspace queueing via NETLINK (OBSOLETE)
     <*> IP tables support (required for filtering/masq/NAT)
             ....
     <*>   Packet filtering

Iptables / netfilter overview

Even though this module doesn't really do filtering, matching, or packet mangling, we are going to install it in the same way as other netfilter modules - via the iptables command.

First, some definitions:

• netfilter module - a kernel module which interfaces with the packet filter mechanism
• iptables module - a user space loadable library which is loaded at runtime by the iptables command. Typically this library corresponds to a netfilter module, and understands how to specify arguments to the kernel module.

Each netfilter module has a name, which is specified when it registers with the netfilter framework. I don't think this name has to be the same as the module name.

Each iptables module has a name and can be loaded via the -m option; i.e. module "xyz" can be loaded by adding the option -m xyz to the iptables command line. If that name is "xyz", the the module must be found in the library libipt_xyz.so in either the default directory (/usr/local/lib/iptables) or the directory specified by the environment variable IPTABLES_LIB_DIR.

The LinuxFocus article has sample code for a simple netfilter that does packet matching on IP address, as well as the corresponding iptables module. To build the iptables module, the easiest method is to get the iptables distribution (you can get the latest snapshot here: iptables-11.27.06.tgz) and add your module to the extensions directory; it will then get built when you run make. Note that to build the LinuxFocus code you will have to copy the .h file to include/linux/netfilter_ipv4/.

Implementation and Testing

We will create a filter named "cs577" and load it via the iptables command. To do this, first build a modified iptables:

• start with the iptables source linked to above, and add this file - libipt_cs577.c to the iptables-11.27.06/extensions/ directory.
• add cs577 to the PF_EXT_SLIB variable in the same directory
• run make.
• Note - if you do this on your VM, then you can run make install to install the modified version in the /usr/local directory:

    # make install
        ....
    # PATH=/usr/local/sbin:$PATH

Next we modify the following netfilter skeleton: ipt_cs577.c and modify the match() function to track packet statistics as specified above.

Finally you should be able to install the module and connect it to inputs and outputs as follows:

    insmod ipt_cs577.ko
    iptables -t filter -A INPUT  --match cs577 -j ACCEPT
    iptables -t filter -A OUTPUT --match cs577 -j ACCEPT

For testing, it should be sufficient to ping a number of different machines - for instance to show that after ping -c 10 host.foo.com the counts for packets to and from host.foo.com incremented by 10.

Submission

Please submit via email the source code for the module, a test log (e.g. use script to capture the terminal session while testing manually, or put the commands in a script file and run it with sh -x), and a short writeup of your design.