hi,guys , 

i am a newbie for netfilter coding.
when i want to record connect myslef . i find my
programme working well in slow net folw,when i got the
syn flood ( only 1000 connections ), 
the box is dead , can you help me , thank you at first
.

( i had delete some code to test , and it's now is
below , but it's dead at syn flood ( only 1000
connections ), 

#ifndef __KERNEL__
 #define __KERNEL__
#endif
#ifndef MODULE
 #define MODULE
#endif


#if 1
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/config.h>
#include <linux/ip.h>
#include <net/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/netfilter_ipv4.h>
#include <net/protocol.h>
#include <linux/types.h>
#include <linux/proc_fs.h>

#endif


#include "connect.h"
#include "lib.h"


#define CONN_MAX_HASH_SIZE 499
struct ip_conntrack *
conn_hash_table[CONN_MAX_HASH_SIZE];


int hash_key( __u32 saddr , __u32 daddr , __u32 sport
, __u32 dport )
{
 return (saddr + daddr + sport + dport ) %
CONN_MAX_HASH_SIZE ;
}


int list_connect( char * buffer , char ** start ,
off_t offset , int length )
{

 int    offs = 0 ;
 int    i = 0 ;
 struct ip_conntrack * temp = NULL ; 
 int    count = 1 ;

 for( i = 0 ;  i < CONN_MAX_HASH_SIZE ; i++ ){
  for( temp = conn_hash_table[i] ; temp ; temp =
temp->next ){
   offs += sprintf( &buffer[offs] , "line-%d\n" , i  
);
   offs += sprintf( &buffer[offs] , 
    "%d. c_saddr = [%d.%d.%d.%d] c_daddr =
[%d.%d.%d.%d]"
    " c_sport = [%d] c_dport = [%d]\n  s_saddr =
[%d.%d.%d.%d] "
    "s_daddr = [%d.%d.%d.%d] s_sport = [%d] s_dport =
[%d]\n "
     , 
    
    count  , 
    IP_DOC( temp->c_saddr ) , IP_DOC( temp->c_daddr )
,
    temp->c_sport , temp->c_dport ,
    IP_DOC( temp->s_saddr ) , IP_DOC( temp->s_daddr )
, 
    temp->s_sport , temp->s_dport  ) ;
   
   count ++ ;
   if( offs > length ){
    offs = length ;
    break ; 
   } 
  }
 }
 return offs ;


 return 0 ; 
}

struct ip_conntrack * get_connect( struct iphdr * iph
, int * direction )
{
 struct  ip_conntrack * temp = NULL;
 __u32 saddr = iph->saddr ;
 __u32 daddr = iph->daddr;
 int hashkey;
 struct  tcphdr * tcph = (struct tcphdr * ) ((void *
)iph + iph->ihl * 4 );
 __u16 sport = ntohs( tcph->source );
 __u16 dport = ntohs( tcph->dest );

 hashkey = hash_key( saddr , daddr , sport , dport );
 //printk("<0>the hash keyi is [%u]\n" , hashkey ) ;

 
 for( temp = conn_hash_table[hashkey] ; temp ; temp =
temp->next ){
 
  if(    (temp->c_saddr == saddr && 
   temp->c_daddr == daddr && 
   temp->c_sport == sport && 
   temp->c_dport == dport ) ){
    *direction = ORIGINAL ;
    //printk("<0>original\n");
    break ;
  }
     
  if(    (temp->s_saddr == saddr && 
   temp->s_daddr == daddr && 
   temp->s_sport == sport && 
   temp->s_dport == dport ) ){
    *direction = REPLY ; 
    //printk("<0>reply\n");
    break ; 
  }
  
 }
 
 return  temp;
}

int conntrack_into_hash( struct ip_conntrack * connect
)
{
 int   hash = 0 ;
 unsigned long   flags;


 if( !connect ){
  printk("<0>the new connect you give is null , so it
can't into the list\n");
  return -1 ; 
 }
 hash = hash_key( connect->c_saddr ,connect->c_daddr 
, connect->c_sport , connect->c_dport );
 printk("<0>the hash keyi is [%u]\n" , hash ) ;


   save_flags( flags );
   cli();


 connect->next = conn_hash_table[hash] ;
 conn_hash_table[hash] = connect ;

 
 restore_flags( flags );

 return 0;
}


struct ip_conntrack * new_connect( int hooknum , 
struct  iphdr * iph )
{

 __u32  saddr = iph->saddr ; 
 __u32  daddr = iph->daddr ; 
 struct ip_conntrack * connect = NULL;
 struct  tcphdr * tcph = (struct tcphdr * ) ((void *
)iph + iph->ihl *4 );
 __u16 sport  = ntohs( tcph->source );
 __u16 dport  = ntohs( tcph->dest ); 


 if( iph->protocol != IPPROTO_TCP )  /*we don't do
icmp udp here*/
  return NULL ; 

 if( !tcph->syn || tcph->ack )
  return NULL ; 


 connect = ( struct ip_conntrack * )kmalloc 
   ( sizeof( struct ip_conntrack), GFP_KERNEL ) ;
 if( !connect ){
  printk("<0>can't alloc memory for the a new connect
about struct ip_conntrack\n" );
  return NULL;
 }
 memset( connect , 0 , sizeof( struct ip_conntrack) )
;
 

 if( dport == FTP_PORT )
  connect->flags |= FTP_CMD_CONNECT  ; 




 connect->c_saddr = saddr;
 connect->c_daddr = daddr; 
 connect->c_sport = sport ; 
 connect->c_dport = dport ; 

 connect->s_saddr = daddr;
 connect->s_daddr = saddr; 
 connect->s_sport = dport ; 
 connect->s_dport = sport ;

 if( conntrack_into_hash( connect ) < 0 ){
  kfree( connect );
  return NULL;
 }
 
 return connect ; 
}
static unsigned int pre_in_fun(unsigned int
hooknum,struct sk_buff **pskb,
    const struct net_device *in,
    const struct net_device *out,int (*okfn)(struct
sk_buff *))
{
 struct iphdr  * iph = ( *pskb )->nh.iph ;
 struct ip_conntrack * connect = NULL;
 int    direction = -1;


 
 if ((*pskb)->nh.iph->frag_off &
htons(IP_MF|IP_OFFSET)) {
  *pskb = ip_defrag(*pskb);  
  if (!*pskb)
   return NF_STOLEN;
 }
 
 if( iph->protocol != IPPROTO_TCP )  /*we don't do
icmp udp here*/
  return NF_DROP ; 


 connect = get_connect( iph , &direction );
 if( connect ){
  ;
 }else{
  connect = new_connect(  hooknum ,  iph ) ;  
  if( !connect )
   return NF_DROP ;
 }

 return NF_ACCEPT;
}



static unsigned int local_out_fun(unsigned int
hooknum,struct sk_buff **skb,
    const struct net_device *in,
    const struct net_device *out,int (*okfn)(struct
sk_buff *))
{
 return  pre_in_fun( hooknum, skb , in , out , okfn )
;
}
 

static unsigned int local_in_fun(unsigned int
hooknum,struct sk_buff **skb,
    const struct net_device *in,
    const struct net_device *out,int (*okfn)(struct
sk_buff *))
{
 return NF_ACCEPT;
}
 

static unsigned int post_routing_fun(unsigned int
hooknum,struct sk_buff **skb,
    const struct net_device *in,
    const struct net_device *out,int (*okfn)(struct
sk_buff *)) { 
 return NF_ACCEPT;
}



void clean_up( void )
{
        int                             i = 0 ;
        struct ip_conntrack     *       next = NULL ;
        struct ip_conntrack     *       temp = NULL ;

        for( i = 0 ;  i < CONN_MAX_HASH_SIZE ; i++ ){
                temp = conn_hash_table[i] ;
  
  while( temp ){
   next = temp->next ; 
    if (temp->flags & TIMER_SET) 
        del_timer(&temp->timer);
   memset( temp , 0 , sizeof( struct ip_conntrack ) )
; 
   kfree( temp ) ;
   temp = next ; 
  }    
 }

}


int     init_conntrack( void )
{

        memset( conn_hash_table , 0 , sizeof( sizeof(
struct ip_conntrack * ) * CONN_MAX_HASH_SIZE ) ) ;

        return 0 ;

}

static struct nf_hook_ops hook_local_in 
={ {NULL,NULL}
,local_in_fun,PF_INET,NF_IP_LOCAL_IN,NF_IP_PRI_FILTER-1};
static struct nf_hook_ops hook_post_routing 
={ {NULL,NULL}
,post_routing_fun,PF_INET,NF_IP_POST_ROUTING,NF_IP_PRI_FILTER-1};


static struct nf_hook_ops hook_local_out 
={ {NULL,NULL} ,local_out_fun,PF_INET,NF_IP_LOCAL_OUT
,NF_IP_PRI_FILTER-1};
static struct nf_hook_ops hook_pre_in 
={ {NULL,NULL}
,pre_in_fun,PF_INET,NF_IP_PRE_ROUTING,NF_IP_PRI_FILTER-1};

int init_module(void)
{
 proc_net_create( "conntrack" , 0 , list_connect );
 nf_register_hook(&hook_local_out);
 nf_register_hook(&hook_local_in);
 nf_register_hook(&hook_post_routing);
 nf_register_hook(&hook_pre_in);

 return init_conntrack( ) ;
 
}

void cleanup_module(void)
{
 nf_unregister_hook(&hook_pre_in);
 nf_unregister_hook(&hook_local_in);
 nf_unregister_hook(&hook_post_routing);
 nf_unregister_hook(&hook_local_out);
 proc_net_remove("conntrack");

 clean_up( ) ; 
}





----- Original Message ----- 
From: "PAUL" <[EMAIL PROTECTED]>
To: "Sumit Pandya" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, March 28, 2002 7:03 AM
Subject: Re: Request for a Beginning in libiptc and
libipq


> Well
> 
> Sumit and Developers
> 
> Let me explain well my questions:
> 
> In the tutorials of iptables The packet goes through
the different steps in
> the following fashion:
> 
> 
> see the comments
>       Step Table Chain Comment
>       1     On the wire(internet)
>       2     Comes in on the interface(eth1)
>       3 mangle PREROUTING Here i cant use the QUEUE
for analysis
>       4 nat PREROUTING
>       5
>       6 filter FORWARD Here go to the QUEUE for
analysis if ACCEPT or DROP
>       7 nat POSTROUTING
>       8     Goes out on the outgoing interface (
eth2 ).
>       9     Out on the wire again (LAN or anothe
computer ).
> 
> 
> The program i have
> it catch  the packets that come from eth1 and go to
the QUEUE , compare the
> IP of packet with a file with  IPs direction and
DROP or ACCEPT the packet ,
> for it go to the eth2
> 
> my question are:
> 
> 1.- Can i use libiptc or another lib or *.h for
enable the ip_queue without
> the common script
> [root]#modprobe iptable_filter
> [root]#modprobe ip_queue
> 
> i found int internet this but i can't do working for
problems in compilation
> 
> 
> 2.- Can I use libiptc or another lib or *.h  for
manipulate the packet and
> compare with a file with IP's and enable go to the
QUEUE without scripts
> below, for example:
> iptables -I FORWARD -j QUEUE or
> iptables -t mangle -I PREROUTING -j QUEUE
> 
> 3.- Why using table  "mangle" for sent the packet to
the QUEUE  in
> PREROUTING  the catch of the packet  is more fast
than using the QUEUE in
> the table "filter" in FORWARD
> 
> 4.- In the HOW-TO hacking-netfilter i read some
functionality using KERNEL
> function for add rules i read this but How can I do
?
> 
> 
> The objective of this, is for using only one program
to enable ip_queue and
> add or remove new rules in the tables mangle or
filter without scripts
> 
> so, Please help me, answer me this question or
explain me another good idea
> for build it in only one program all this.
> 
> Thank you for help a this begining in netfilter with
iptables 1.2.5
> 
> Paul Villacreses
> 
> 
> ----- Original Message -----
> From: "Sumit Pandya" <[EMAIL PROTECTED]>
> To: "PAUL FABRICIO VILLACRESES LEON"
<[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Tuesday, March 26, 2002 9:29 PM
> Subject: RE: Request for a Beginning in libiptc and
libipq
> 
> 
> > -----Original Message-----
> > From: PAUL FABRICIO VILLACRESES LEON
> > [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, March 26, 2002 10:58 PM
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: Request for a Beginning in libiptc and
libipq
> >
> >
> > >> I have a program using libipq gived for Sumit
and work good(Thank you)
> > but a
> > So Cheers... ;-)
> > >> want to catch the packets before it going to
QUEUE for analisys and
> > enable
> > >> the ip_queue in a c program, i know that using
the shared library of
> > >> iptables.c and libiptc.h but again i didn't
find an example c program
> > using
> > >> this libiptc. and enable the ip_queue.
> > I'm confused with what you wana say and achieved
by this. QUEUE is
> > basically to take action on packet in user-space.
Are you boather of
> > unnecessary traversal of your packets to
user-space(QUEUE)? If it's so
> then,
> > there are so many "match extensions" you can take
help of them to
> > selectively traverse your packets into user-space.
Finally GOD of all
> these
> > "match-extensions" is "string".
> > Hope This helps,
> > -- Sumit
> >
> >
> 


_________________________________________________________
Do You Yahoo!? 
到世界杯主题公园玩一玩,赢取世界杯门票乐一乐。
http://cn.worldcup.yahoo.com/

Reply via email to