ebtables.ppt

EBTABLS 培训,欧阳棣,培训内容,Ebtables 概述Ebtables 框架扩展 ebtablesEbtables 应用问题思考,Ebtables 概述,Ebtables 是什么,说到ebtables 大家可能最首先会想到iptables,iptables、ebtables它们是linux防火墙的两个组成部份。iptables主要提供了基于ip头部信息的过滤，如IP五元组等ebtables提供了基于桥的以太帧过滤，日志，MAC DNAT和brouting，同时它也有一些简单的IP过滤功能。,Ebtables 功能,Ethernet protocol filtering.MAC address filtering.Simple IP header filtering.ARP header filtering.802.1Q VLAN filtering.In/Out interface filtering(logical and physical device).MAC address nat.,Ebtables 功能,Logging.Frame counters.Ability to add,delete and insert rules;flush chains;zero counters.Brouter facility.Ability to atomically load a complete table,containing the rules you made,into the kernel.See the man page and the examples section.Support for user defined chains.Support for marking frames and matching marked frames.,Ebtables 框架,用户交互,应用程序 communication.c内核层 static struct nf_sockopt_ops ebt_sockopts,Hook 点,nf_hooksNPROTONF_MAX_HOOKS,NPROTO=32，支持协议族的数量 NF_MAX_HOOKS=8，支持检查点的数量 检查点上的nf_hook_ops结构，按priority的值，从小到大排列,nf_hook_ops,Hook 点上的数据结构,struct nf_hook_opsstruct list_head list;nf_hookfn*hook;int pf;int hooknum;int priority;,unsigned int nf_hookfn(unsigned int hooknum,struct sk_buff*skb,const struct net_device*in,const struct net_device*out,int(*okfn)(struct sk_buff*);,list：链表结构；hook：检查点上调用的函数；pf：协议族；hooknum：检查点的编号；priority：此结构的优先级 nf_register_hook：注册nf_hook_ops结构 nf_unregister_hook：卸载nf_hoop_ops结构,Hook 宏定义,#define NF_HOOK(pf,hook,skb,indev,outdev,okfn)NF_HOOK_THRESH(pf,hook,skb,indev,outdev,okfn,INT_MIN)#define NF_HOOK_THRESH(pf,hook,skb,indev,outdev,okfn,thresh(int _ret;if(_ret=nf_hook_thresh(pf,hook,),NF_HOOK：定义检查点(okfn)(skb)：如果检查点上没有钩子函数，直接调用这个函数；如果有钩子函数，则先遍历检查点上的钩子函数，并根据钩子函数的返回值来确定下一步的动作；如果钩子函数完全遍历，同样需要调用这个函数 nf_hook_thresh：调用hook，返回表示包通过，返回其他表示包被消耗,Hook 点的调用流程,NF_DROP：禁止包通过NF_ACCEPT：允许包通过NF_STOLEN：包被本机缓存NF_QUEUE：把包发送到用户空间NF_REPEAT：重复上一次遍历过程,NF_HOOK,nf_hook_slow,nf_iterate,nf_hookfn,返回值,nf_hook_thresh,ebt_do_table,Ebtables hook 点位置,Bridge Hooks,#define NF_BR_PRE_ROUTING0#define NF_BR_LOCAL_IN1#define NF_BR_FORWARD2#define NF_BR_LOCAL_OUT3#define NF_BR_POST_ROUTING4/*Not really a hook,but used for the ebtables broute table*/#define NF_BR_BROUTING5注：NF_BR_BROUTING不是真正hook，不会通过hook点调用流程调用,NF_BR_PRE_ROUTING,NF_BR_LOCAL_IN,NF_BR_FORWARD,NF_BR_LOCAL_OUT,NF_BR_POST_ROUTING,NF_BR_BROUTING,static int ebt_broute(struct sk_buff*pskb)int ret;ret=ebt_do_table(NF_BR_BROUTING,pskb,(*pskb)-dev,NULL,/外部函数指针,nf_hook_ops 结构体,struct nf_hook_opsstruct list_head list;/*User fills in from here down.*/nf_hookfn*hook;struct module*owner;int pf;int hooknum;/*Hooks are ordered in ascending priority.*/int priority;,在每一个table中都会有一个nf_hook_ops结构体数组，它通过去nf_register_hook注册到全局变量nf_hook中,ebt_table 结构体,struct ebt_tablestruct list_head list;char nameEBT_TABLE_MAXNAMELEN;struct ebt_replace*table;unsigned int valid_hooks;rwlock_t lock;/*e.g.could be the table explicitly only allows certain*matches,targets,.0=let it in*/int(*check)(const struct ebt_table_info*info,unsigned int valid_hooks);/*the data used by the kernel*/struct ebt_table_info*private;struct module*me;,ebt_tables 链表,Ebtables有三个表broutefilterNat表注册函数：ebt_register_tableebt_unregister_table,ebt_entries 结构体,struct ebt_entries/*this field is always set to zero*See EBT_ENTRY_OR_ENTRIES.*Must be same size as ebt_entry.bitmask*/unsigned int distinguisher;/*the chain name*/char nameEBT_CHAIN_MAXNAMELEN;/*counter offset for this chain*/unsigned int counter_offset;/*one standard(accept,drop,return)per hook*/int policy;/*nr.of entries*/unsigned int nentries;/*entry list*/char data0 _attribute_(aligned(_alignof_(struct ebt_replace);,ebt_entries 处理流程,target,hook_entry,eb_table_info,ebt_match 结构体,struct ebt_matchstruct list_head list;const char nameEBT_FUNCTION_MAXNAMELEN;/*0=it matches*/int(*match)(const struct sk_buff*skb,const struct net_device*in,const struct net_device*out,const void*matchdata,unsigned int datalen);/*0=let it in*/int(*check)(const char*tablename,unsigned int hookmask,const struct ebt_entry*e,void*matchdata,unsigned int datalen);void(*destroy)(void*matchdata,unsigned int datalen);struct module*me;,ebt_matches 链表,Match注册函数ebt_register_matchebt_unregister_match,ebt_watcher 结构体,struct ebt_watcherstruct list_head list;const char nameEBT_FUNCTION_MAXNAMELEN;void(*watcher)(const struct sk_buff*skb,unsigned int hooknr,const struct net_device*in,const struct net_device*out,const void*watcherdata,unsigned int datalen);/*0=let it in*/int(*check)(const char*tablename,unsigned int hookmask,const struct ebt_entry*e,void*watcherdata,unsigned int datalen);void(*destroy)(void*watcherdata,unsigned int datalen);struct module*me;,ebt_watchers 链表,Watcher注册函数ebt_register_watcherebt_unregister_watcher,ebt_target 结构体,struct list_head list;const char nameEBT_FUNCTION_MAXNAMELEN;/*returns one of the standard verdicts*/int(*target)(struct sk_buff*pskb,unsigned int hooknr,const struct net_device*in,const struct net_device*out,const void*targetdata,unsigned int datalen);/*0=let it in*/int(*check)(const char*tablename,unsigned int hookmask,const struct ebt_entry*e,void*targetdata,unsigned int datalen);void(*destroy)(void*targetdata,unsigned int datalen);struct module*me;,ebt_targets 链表,Match注册函数ebt_register_targetebt_unregister_target,扩展 ebtbles,Ebtables 的两层,table,match,通信接口,watcher,target,socket,table,match,watcher,target,userspace,Kernel,通信接口,增加一个table,用户空间定义一个全局struct ebt_u_table结构体变量，并赋初值根据结构体成员函数指针指定的函数名编写相关函数,如help等函数在_init函数中注册前面定义的结构体变量内核层初始化struct ebt_entries结构体变量，定义需要的链初始化struct ebt_replace结构体变量，指表可以使用的hook及对应的链初始化struct ebt_table结构体变量和编相关函数数初始化struct nf_hook_ops 结构体和相关函数在init和exit函数中，注删和注销struct ebt_table和struct nf_hook_ops 变量,增加一个Match,用户空间初始化struct ebt_u_table结构体变量及相关函数，如help,check等在_init函数中注册前面定义的结构体变量内核层初始化struct ebt_entries结构体变量，定义需要的链初始化struct ebt_replace结构体变量，指表可以使用的hook及对应的链初始化struct ebt_table结构体变量和编相关函数数初始化struct nf_hook_ops 结构体和相关函数在init和exit函数中，注册和注销struct ebt_table和struct nf_hook_ops 变量,增加一个Match,用户空间初始化struct ebt_u_match结构体变量及相关函数在_init函数中注册前面定义的结构体变量内核层初始化struct ebt_match结构体变量和相关函数数在init和exit函数中，注册和注销struct ebt_match变量,增加一个Target,用户空间初始化ebt_u_target结构体变量及相关函数在_init函数中注册前面定义的结构体变量内核层初始化struct ebt_target结构体变量和相关函数数在init和exit函数中，注册和注销struct ebt_target变量,增加一个Watcher,用户空间初始化ebt_u_watcher结构体变量及相关函数在_init函数中注册前面定义的结构体变量内核层初始化struct ebt_watcher结构体变量和相关函数数在init和exit函数中，注册和注销struct ebt_watcher变量,通用函数指针说明,void(*help)(void)帮助信息，-h int(*parse)()分解输入的命令行，进行合法性验证，业务处理等操作，是业务实现的主要函数。void(*print)()用户需要查看相关规则时，格式化输出int(*compare)()检查在同一条规则中是否存在相同的选项,特殊函数指针说明,int(*match)()match专用函数，检查报文是与规则中的匹配项是否匹配，匹配返回EBT_MATCH(=0),否则返回EBT_NOMATCH(=1)void(*watcher)()watcher专用函数，监控与规则匹配的报文并根据监控条件返回相关信息int(*target)()Taget专用函数，根据规则的设置情况对匹配的报文进行处理，最终的值只能是EBT_ACCEPT,EBT_DROP,EBT_CONTINUE或EBT_RETURN 其中的一个，注：在基础链中不能使用EBT_RETURN,添加target实例,在ebtables中添加一个vlan的target，它可以根据用户的需要对匹配的报文打vlan tag、去vlan tag或修改优先级。用户空间初始化ebt_u_target结构体变量及相关函数,添加target实例,#初始化struct ebt_u_target 结构体static struct ebt_u_target vlan_target=.name=EBT_VLAN_TARGET,/指定target名字.size=sizeof(struct ebt_vlan_t_info),.help=print_help,.init=init,.parse=parse,.final_check=final_check,.print=print,.compare=compare,.extra_ops=opts,;,添加target实例,#编写parse函数static struct option opts=vlan-target,required_argument,0,VLAN_TARGET,vlan-set,required_argument,0,VLAN_SET,vlan-priority,required_argument,0,VLAN_PRIORITY,/*an oldtime messup,we should have always used the scheme*-*/vlan-header,no_argument,0,VLAN_HEADER,vlan-untag,no_argument,0,VLAN_UNTAG,0;,添加target实例,static int parse(int c,char*argv,int argc,const struct ebt_u_entry*entry,unsigned int*flags,struct ebt_entry_target*target)struct ebt_vlan_t_info*vlaninfo=(struct ebt_vlan_t_info*)(*target)-data;char*end;switch(c)case VLAN_SET:check_option(flags,OPT_VLAN_SET);if(*flags,添加target实例,#编写help及init函数/*打印帮助信息*/static void print_help()printf(vlan target options:n-vlan-set value:Set vlan value,0-4095n-vlan-priority prioriry:set vlan priority,0-7n-vlan-header:Add vlan tag to frames headern-vlan-untag:Delete valn tag from frames headern-vlan-target target:ACCEPT,DROP,RETURN or CONTINUEn);/*初始化自定义结构体*/static void init(struct ebt_entry_target*target)struct ebt_vlan_t_info*vlaninfo=(struct ebt_vlan_t_info*)target-data;vlaninfo-target=EBT_ACCEPT;vlaninfo-vlan=0;vlaninfo-cmd=0;vlan_supplied=0;,添加target实例,#对数据的合法性及启用条件进行检查static void final_check(const struct ebt_u_entry*entry,const struct ebt_entry_target*target,const char*name,unsigned int hookmask,unsigned int time)struct ebt_vlan_t_info*vlaninfo=(struct ebt_vlan_t_info*)target-data;if(time=0,添加target实例,#编写print函数用户查询的显示格式static void print(const struct ebt_u_entry*entry,const struct ebt_entry_target*target)struct ebt_vlan_t_info*vlaninfo=(struct ebt_vlan_t_info*)target-data;switch(vlaninfo-cmd)case OPT_VLAN_SET:if(vlaninfo-vlan)printf(-vlan-set 0 x%lx,vlaninfo-vlan);if(vlaninfo-priority)printf(-vlan-priority 0 x%lx,vlaninfo-priority);break;case OPT_VLAN_HEADER:printf(-vlan-header);break;case OPT_VLAN_UNTAG:printf(-vlan-untag);break;default:break;printf(-vlan-target%s,TARGET_NAME(vlaninfo-target);return;,添加target实例,#编写compare函数/*冲突检测函数,只需要对需要的部份进行检测*/static int compare(const struct ebt_entry_target*t1,const struct ebt_entry_target*t2)struct ebt_vlan_t_info*vlaninfo1=(struct ebt_vlan_t_info*)t1-data;struct ebt_vlan_t_info*vlaninfo2=(struct ebt_vlan_t_info*)t2-data;return vlaninfo1-target=vlaninfo2-target,添加target实例,、在_init函数中注册前面定义的结构体变量static void _init(void)_attribute_(constructor);static void _init(void)register_target(,添加target实例,内核层初始化struct ebt_target结构体变量和相关函数数#初始化结构体static struct ebt_target vlan_target=.name=EBT_VLAN_TARGET,.target=ebt_target_vlan,.check=ebt_target_vlan_check,.me=THIS_MODULE,;,添加target实例,#编写target函数static int ebt_target_vlan(struct sk_buff*pskb,unsigned int hooknr,const struct net_device*in,const struct net_device*out,const void*data,unsigned int datalen)struct ebt_vlan_t_info*info=(struct ebt_vlan_t_info*)data;switch(info-cmd)case OPT_VLAN_SET:if(eth_hdr(*pskb)-h_proto!=htons(ETH_P_8021Q)/*if info-vlan=0,cant set vlan tag*/if(!info-vlan else,添加target实例,if(!info-vlan)struct vlan_ethhdr*vhdr=(struct vlan_ethhdr*)(*pskb)-mac.raw;/(*pskb)-vlan=(vhdr-h_vlan_TCI,添加target实例,#编写check函数static int ebt_target_vlan_check(const char*tablename,unsigned int hookmask,const struct ebt_entry*e,void*data,unsigned int datalen)struct ebt_vlan_t_info*info=(struct ebt_vlan_t_info*)data;if(datalen!=EBT_ALIGN(sizeof(struct ebt_vlan_t_info)return-EINVAL;if(BASE_CHAIN 函数主要检查从用户数据的合法性及有效性。,添加target实例,在init和exit函数中，注册和注销struct ebt_target变量 static int _init ebt_vlan_init(void)return ebt_register_target(,Ebtables 应用,桥本地接收,桥转发,桥本地发送,桥到桥的路由,桥到非桥接口的路由,实例应用,Linux broutingRate shaping,问题思考,问题,Tower box:172.16.0.1Workstaion:172.16.0.2怎样设置规则才能让机器既能互相通信又能上internet?,问题,LocalProcess,br0,internet,wan,问题：报文会经过哪些链,