hi,guys ,
i am a newbie for netfilter coding.
when i want to record connect myslef . i find my
programme working well in slow net folw,when i got the
syn flood ( only 1000 connections ),
the box is dead , can you help me , thank you at first
.
( i had delete some code to test , and it's now is
below , but it's dead at syn flood ( only 1000
connections ),
#ifndef __KERNEL__
#define __KERNEL__
#endif
#ifndef MODULE
#define MODULE
#endif
#if 1
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/config.h>
#include <linux/ip.h>
#include <net/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/netfilter_ipv4.h>
#include <net/protocol.h>
#include <linux/types.h>
#include <linux/proc_fs.h>
#endif
#include "connect.h"
#include "lib.h"
#define CONN_MAX_HASH_SIZE 499
struct ip_conntrack *
conn_hash_table[CONN_MAX_HASH_SIZE];
int hash_key( __u32 saddr , __u32 daddr , __u32 sport
, __u32 dport )
{
return (saddr + daddr + sport + dport ) %
CONN_MAX_HASH_SIZE ;
}
int list_connect( char * buffer , char ** start ,
off_t offset , int length )
{
int offs = 0 ;
int i = 0 ;
struct ip_conntrack * temp = NULL ;
int count = 1 ;
for( i = 0 ; i < CONN_MAX_HASH_SIZE ; i++ ){
for( temp = conn_hash_table[i] ; temp ; temp =
temp->next ){
offs += sprintf( &buffer[offs] , "line-%d\n" , i
);
offs += sprintf( &buffer[offs] ,
"%d. c_saddr = [%d.%d.%d.%d] c_daddr =
[%d.%d.%d.%d]"
" c_sport = [%d] c_dport = [%d]\n s_saddr =
[%d.%d.%d.%d] "
"s_daddr = [%d.%d.%d.%d] s_sport = [%d] s_dport =
[%d]\n "
,
count ,
IP_DOC( temp->c_saddr ) , IP_DOC( temp->c_daddr )
,
temp->c_sport , temp->c_dport ,
IP_DOC( temp->s_saddr ) , IP_DOC( temp->s_daddr )
,
temp->s_sport , temp->s_dport ) ;
count ++ ;
if( offs > length ){
offs = length ;
break ;
}
}
}
return offs ;
return 0 ;
}
struct ip_conntrack * get_connect( struct iphdr * iph
, int * direction )
{
struct ip_conntrack * temp = NULL;
__u32 saddr = iph->saddr ;
__u32 daddr = iph->daddr;
int hashkey;
struct tcphdr * tcph = (struct tcphdr * ) ((void *
)iph + iph->ihl * 4 );
__u16 sport = ntohs( tcph->source );
__u16 dport = ntohs( tcph->dest );
hashkey = hash_key( saddr , daddr , sport , dport );
//printk("<0>the hash keyi is [%u]\n" , hashkey ) ;
for( temp = conn_hash_table[hashkey] ; temp ; temp =
temp->next ){
if( (temp->c_saddr == saddr &&
temp->c_daddr == daddr &&
temp->c_sport == sport &&
temp->c_dport == dport ) ){
*direction = ORIGINAL ;
//printk("<0>original\n");
break ;
}
if( (temp->s_saddr == saddr &&
temp->s_daddr == daddr &&
temp->s_sport == sport &&
temp->s_dport == dport ) ){
*direction = REPLY ;
//printk("<0>reply\n");
break ;
}
}
return temp;
}
int conntrack_into_hash( struct ip_conntrack * connect
)
{
int hash = 0 ;
unsigned long flags;
if( !connect ){
printk("<0>the new connect you give is null , so it
can't into the list\n");
return -1 ;
}
hash = hash_key( connect->c_saddr ,connect->c_daddr
, connect->c_sport , connect->c_dport );
printk("<0>the hash keyi is [%u]\n" , hash ) ;
save_flags( flags );
cli();
connect->next = conn_hash_table[hash] ;
conn_hash_table[hash] = connect ;
restore_flags( flags );
return 0;
}
struct ip_conntrack * new_connect( int hooknum ,
struct iphdr * iph )
{
__u32 saddr = iph->saddr ;
__u32 daddr = iph->daddr ;
struct ip_conntrack * connect = NULL;
struct tcphdr * tcph = (struct tcphdr * ) ((void *
)iph + iph->ihl *4 );
__u16 sport = ntohs( tcph->source );
__u16 dport = ntohs( tcph->dest );
if( iph->protocol != IPPROTO_TCP ) /*we don't do
icmp udp here*/
return NULL ;
if( !tcph->syn || tcph->ack )
return NULL ;
connect = ( struct ip_conntrack * )kmalloc
( sizeof( struct ip_conntrack), GFP_KERNEL ) ;
if( !connect ){
printk("<0>can't alloc memory for the a new connect
about struct ip_conntrack\n" );
return NULL;
}
memset( connect , 0 , sizeof( struct ip_conntrack) )
;
if( dport == FTP_PORT )
connect->flags |= FTP_CMD_CONNECT ;
connect->c_saddr = saddr;
connect->c_daddr = daddr;
connect->c_sport = sport ;
connect->c_dport = dport ;
connect->s_saddr = daddr;
connect->s_daddr = saddr;
connect->s_sport = dport ;
connect->s_dport = sport ;
if( conntrack_into_hash( connect ) < 0 ){
kfree( connect );
return NULL;
}
return connect ;
}
static unsigned int pre_in_fun(unsigned int
hooknum,struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,int (*okfn)(struct
sk_buff *))
{
struct iphdr * iph = ( *pskb )->nh.iph ;
struct ip_conntrack * connect = NULL;
int direction = -1;
if ((*pskb)->nh.iph->frag_off &
htons(IP_MF|IP_OFFSET)) {
*pskb = ip_defrag(*pskb);
if (!*pskb)
return NF_STOLEN;
}
if( iph->protocol != IPPROTO_TCP ) /*we don't do
icmp udp here*/
return NF_DROP ;
connect = get_connect( iph , &direction );
if( connect ){
;
}else{
connect = new_connect( hooknum , iph ) ;
if( !connect )
return NF_DROP ;
}
return NF_ACCEPT;
}
static unsigned int local_out_fun(unsigned int
hooknum,struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,int (*okfn)(struct
sk_buff *))
{
return pre_in_fun( hooknum, skb , in , out , okfn )
;
}
static unsigned int local_in_fun(unsigned int
hooknum,struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,int (*okfn)(struct
sk_buff *))
{
return NF_ACCEPT;
}
static unsigned int post_routing_fun(unsigned int
hooknum,struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,int (*okfn)(struct
sk_buff *)) {
return NF_ACCEPT;
}
void clean_up( void )
{
int i = 0 ;
struct ip_conntrack * next = NULL ;
struct ip_conntrack * temp = NULL ;
for( i = 0 ; i < CONN_MAX_HASH_SIZE ; i++ ){
temp = conn_hash_table[i] ;
while( temp ){
next = temp->next ;
if (temp->flags & TIMER_SET)
del_timer(&temp->timer);
memset( temp , 0 , sizeof( struct ip_conntrack ) )
;
kfree( temp ) ;
temp = next ;
}
}
}
int init_conntrack( void )
{
memset( conn_hash_table , 0 , sizeof( sizeof(
struct ip_conntrack * ) * CONN_MAX_HASH_SIZE ) ) ;
return 0 ;
}
static struct nf_hook_ops hook_local_in
={ {NULL,NULL}
,local_in_fun,PF_INET,NF_IP_LOCAL_IN,NF_IP_PRI_FILTER-1};
static struct nf_hook_ops hook_post_routing
={ {NULL,NULL}
,post_routing_fun,PF_INET,NF_IP_POST_ROUTING,NF_IP_PRI_FILTER-1};
static struct nf_hook_ops hook_local_out
={ {NULL,NULL} ,local_out_fun,PF_INET,NF_IP_LOCAL_OUT
,NF_IP_PRI_FILTER-1};
static struct nf_hook_ops hook_pre_in
={ {NULL,NULL}
,pre_in_fun,PF_INET,NF_IP_PRE_ROUTING,NF_IP_PRI_FILTER-1};
int init_module(void)
{
proc_net_create( "conntrack" , 0 , list_connect );
nf_register_hook(&hook_local_out);
nf_register_hook(&hook_local_in);
nf_register_hook(&hook_post_routing);
nf_register_hook(&hook_pre_in);
return init_conntrack( ) ;
}
void cleanup_module(void)
{
nf_unregister_hook(&hook_pre_in);
nf_unregister_hook(&hook_local_in);
nf_unregister_hook(&hook_post_routing);
nf_unregister_hook(&hook_local_out);
proc_net_remove("conntrack");
clean_up( ) ;
}
----- Original Message -----
From: "PAUL" <[EMAIL PROTECTED]>
To: "Sumit Pandya" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, March 28, 2002 7:03 AM
Subject: Re: Request for a Beginning in libiptc and
libipq
> Well
>
> Sumit and Developers
>
> Let me explain well my questions:
>
> In the tutorials of iptables The packet goes through
the different steps in
> the following fashion:
>
>
> see the comments
> Step Table Chain Comment
> 1 On the wire(internet)
> 2 Comes in on the interface(eth1)
> 3 mangle PREROUTING Here i cant use the QUEUE
for analysis
> 4 nat PREROUTING
> 5
> 6 filter FORWARD Here go to the QUEUE for
analysis if ACCEPT or DROP
> 7 nat POSTROUTING
> 8 Goes out on the outgoing interface (
eth2 ).
> 9 Out on the wire again (LAN or anothe
computer ).
>
>
> The program i have
> it catch the packets that come from eth1 and go to
the QUEUE , compare the
> IP of packet with a file with IPs direction and
DROP or ACCEPT the packet ,
> for it go to the eth2
>
> my question are:
>
> 1.- Can i use libiptc or another lib or *.h for
enable the ip_queue without
> the common script
> [root]#modprobe iptable_filter
> [root]#modprobe ip_queue
>
> i found int internet this but i can't do working for
problems in compilation
>
>
> 2.- Can I use libiptc or another lib or *.h for
manipulate the packet and
> compare with a file with IP's and enable go to the
QUEUE without scripts
> below, for example:
> iptables -I FORWARD -j QUEUE or
> iptables -t mangle -I PREROUTING -j QUEUE
>
> 3.- Why using table "mangle" for sent the packet to
the QUEUE in
> PREROUTING the catch of the packet is more fast
than using the QUEUE in
> the table "filter" in FORWARD
>
> 4.- In the HOW-TO hacking-netfilter i read some
functionality using KERNEL
> function for add rules i read this but How can I do
?
>
>
> The objective of this, is for using only one program
to enable ip_queue and
> add or remove new rules in the tables mangle or
filter without scripts
>
> so, Please help me, answer me this question or
explain me another good idea
> for build it in only one program all this.
>
> Thank you for help a this begining in netfilter with
iptables 1.2.5
>
> Paul Villacreses
>
>
> ----- Original Message -----
> From: "Sumit Pandya" <[EMAIL PROTECTED]>
> To: "PAUL FABRICIO VILLACRESES LEON"
<[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Tuesday, March 26, 2002 9:29 PM
> Subject: RE: Request for a Beginning in libiptc and
libipq
>
>
> > -----Original Message-----
> > From: PAUL FABRICIO VILLACRESES LEON
> > [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, March 26, 2002 10:58 PM
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: Request for a Beginning in libiptc and
libipq
> >
> >
> > >> I have a program using libipq gived for Sumit
and work good(Thank you)
> > but a
> > So Cheers... ;-)
> > >> want to catch the packets before it going to
QUEUE for analisys and
> > enable
> > >> the ip_queue in a c program, i know that using
the shared library of
> > >> iptables.c and libiptc.h but again i didn't
find an example c program
> > using
> > >> this libiptc. and enable the ip_queue.
> > I'm confused with what you wana say and achieved
by this. QUEUE is
> > basically to take action on packet in user-space.
Are you boather of
> > unnecessary traversal of your packets to
user-space(QUEUE)? If it's so
> then,
> > there are so many "match extensions" you can take
help of them to
> > selectively traverse your packets into user-space.
Finally GOD of all
> these
> > "match-extensions" is "string".
> > Hope This helps,
> > -- Sumit
> >
> >
>
_________________________________________________________
Do You Yahoo!?
到世界杯主题公园玩一玩,赢取世界杯门票乐一乐。
http://cn.worldcup.yahoo.com/
