wiki:
iptables is a application program that allows a
system administrator to configure the tables provided by the firewall (implemented as different
modules) and the chains and rules it stores. Different kernel modules
and programs are currently used for different protocols; iptables
applies to IPv4, ip6tables to IPv6, arptables to ARP, and
ebtables as a special for Ethernet frames.
iptables is also commonly used to inclusively refer to the
kernel-level components. x_tables is the name of the kernel
module carrying the shared code portion used by all four modules that
also provides the API used for extensions; subsequently, Xtables
is more or less used to refer to the entire firewall (v4,v6,arp,eb)
architecture.
-----
Netfilter connections can be manipulated with the user-space tool conntrack.
iptables can make use of checking the connection's informations such
as states, statuses and more to make packet filtering rules more
powerful and easier to manage. The most common states are:
- “NEW”: trying to create a new connection
- “ESTABLISHED”: part of an already-existing connection
- “RELATED”: assigned to a packet that is initiating a new connection
and which has been “expected”. The aforementioned mini-ALGs set up these
expectations, for example, when the nf_conntrack_ftp module sees
an “PASV”
command.
- “INVALID”: the packet was found to be , e.g. it would not adhere to the
diagram.
- “UNTRACKED” is a special state that can be assigned by the
administrator to bypass connection tracking for a particular packet (see
raw table, above)
A normal example would be that the first packet the conntrack
subsystem sees will be classified “new”, the reply would be classified
“established” and an error would be
“related”. An ICMP error packet which did not match any known connection
would be “invalid”.
-----
Further
Netfilter projects:
ulogd
conntrack-tools
ipsetUser-space
libraries
The Netfilter projects also provides a set of libraries whose prefix
name is libnetfilter that can be used to perform different task
from user-space. These libraries are released under the GNU GPL version
2. Specifically, they are:
- libnetfilter_queue, that allows to perform user-space packet
queueing in conjunction with iptables.
- libnetfilter_conntrack, that allows to manipulate Connection
Tracking entries from user-space.
- libnetfilter_log, that allows to collect log messages that
are generated by iptables.
- libiptc, that allows changing the iptables firewall ruleset.
---------------------------------------------------
1. NomenclatureBy convention, names of Xtables matches are always lower-case, and names of Xtables targets are upper-case.
Xtables modules are typically prefixed with xt_, forming, for example, xt_MARK for a target, and xt_connmark for a match.
x_tables refers to the kernel module that provides the generic, (mostly) protocol-independent
table-based firewalling used in Linux, and ip_tables, ip6_tables, arp_tables and ebtables are the
kernel modules providing family-specific tables for the iptables, ip6tables, arptables and ebtables
tools.
ip, ip6, arp and eb table modules traditionally used distinct prefixes, according to their sub-
system. They were ipt_, ip6t_, arpt_ and ebt_, respectively. Use of these is fading and should be avoided for new modules.
As far as userspace is concerned, iptables modules use libxt_ as prefix
.
2. Match A match may not modify many structures — as you can see from the function prototypes later on, a lot of variables are declared const. Modifying any of this data should only be done in targets.
This is because long for example has a different size in 32- and 64-bit environments. On x86, long is 4 bytes, but on x86_64, it is 8 bytes.
nion nf_inet_addr:
It is defined in
, and for struct in_addr and struct in6_addr to work, you need to include and in kernel-space, or in userspace, respectively.
3.userspace
The _init function is called when the module is loaded by iptables. As a tiny implementation detail, note that _init is actually defined as a macro for iptables, and the keyword will be replaced by appropriate logic to wire it up with iptables, as we cannot strictly use _init, because the Glibc CRT (common runtime) stubs that will be linked into shared libraries, already do.
void _init(void)
{
xtables_register_match(&ipaddr_mt_reg);
}
When iptables is built, this will expand to:
void __attribute__((constructor)) libxt_ipaddr_init(void)
so you may not use the name libxt_ipaddr_init for other functions, or you will get an unfortunate compile error.
In case you use the Xtables-addons framework, just directly write static void _init(void)
i. e. with the static keyword and without the extra prototype above it, because modules are always compiled as shared library objects (.so) so no symbols need to be globally visible.
5.Target
Just like for matches, there is also a convention for targets. All it takes
is replacing the _mt part by _tg. While targets’ names are upper-case, symbols will remain lower-case.
--------------------------------
userspace:
xtables.h: struct xtables_match struct xtables_target
xtables_register_match()
xtables_register_target()
1) static void _init(void)
{
xtables_register_match();
}
2) void __attribute__((constructor)) name_init(void)
{
xtables_register_match();
}
kernel module:
linux/netfilter/x_tables.h: xt_match xt_target
xt_(un)register_match();
xt_(un)register_target();
阅读(963) | 评论(0) | 转发(0) |
