Chinaunix首页 | 论坛 | 博客
  • 博客访问: 622969
  • 博文数量: 201
  • 博客积分: 3076
  • 博客等级: 中校
  • 技术积分: 2333
  • 用 户 组: 普通用户
  • 注册时间: 2009-08-02 19:44
文章分类

全部博文(201)

文章存档

2010年(118)

2009年(83)

我的朋友

分类: LINUX

2010-03-22 22:45:04

wiki:
iptables is a application program that allows a system administrator to configure the tables provided by the firewall (implemented as different modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables as a special for Ethernet frames.

iptables is also commonly used to inclusively refer to the kernel-level components. x_tables is the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; subsequently, Xtables is more or less used to refer to the entire firewall (v4,v6,arp,eb) architecture.

-----


Netfilter connections can be manipulated with the user-space tool conntrack.

iptables can make use of checking the connection's informations such as states, statuses and more to make packet filtering rules more powerful and easier to manage. The most common states are:

  • “NEW”: trying to create a new connection
  • “ESTABLISHED”: part of an already-existing connection
  • “RELATED”: assigned to a packet that is initiating a new connection and which has been “expected”. The aforementioned mini-ALGs set up these expectations, for example, when the nf_conntrack_ftp module sees an “PASV” command.
  • “INVALID”: the packet was found to be , e.g. it would not adhere to the diagram.
  • “UNTRACKED” is a special state that can be assigned by the administrator to bypass connection tracking for a particular packet (see raw table, above)

A normal example would be that the first packet the conntrack subsystem sees will be classified “new”, the reply would be classified “established” and an error would be “related”. An ICMP error packet which did not match any known connection would be “invalid”.

-----

Further Netfilter projects:

ulogd
conntrack-tools

ipset

User-space libraries

The Netfilter projects also provides a set of libraries whose prefix name is libnetfilter that can be used to perform different task from user-space. These libraries are released under the GNU GPL version 2. Specifically, they are:

  • libnetfilter_queue, that allows to perform user-space packet queueing in conjunction with iptables.
  • libnetfilter_conntrack, that allows to manipulate Connection Tracking entries from user-space.
  • libnetfilter_log, that allows to collect log messages that are generated by iptables.
  • libiptc, that allows changing the iptables firewall ruleset.

---------------------------------------------------

1. Nomenclature
By convention, names of Xtables matches are always lower-case, and names of Xtables targets are upper-case.
   Xtables modules are typically prefixed with xt_, forming, for example, xt_MARK for a target, and xt_connmark for a match.

   x_tables refers to the kernel module that provides the generic, (mostly) protocol-independent
table-based firewalling used in Linux, and ip_tables, ip6_tables, arp_tables and ebtables are the
kernel modules providing family-specific tables for the iptables, ip6tables, arptables and ebtables
tools.

   ip, ip6, arp and eb table modules traditionally used distinct prefixes, according to their sub-
system. They were ipt_, ip6t_, arpt_ and ebt_, respectively. Use of these is fading and should be avoided for new modules.
As far as userspace is concerned, iptables modules use libxt_ as prefix.
2. Match

A match may not modify many structures — as you can see from the function prototypes later on, a lot of variables are declared const. Modifying any of this data should only be done in targets.

This is because long for example has a different size in 32- and 64-bit environments. On x86, long is 4 bytes, but on x86_64, it is 8 bytes.

nion nf_inet_addr:
      It is defined in , and for struct in_addr and struct in6_addr to work, you need to include and in kernel-space, or in userspace, respectively.
3.userspace
  The _init function is called when the module is loaded by iptables. As a tiny implementation detail, note that _init is actually defined as a macro for iptables, and the keyword will be replaced by appropriate logic to wire it up with iptables, as we cannot strictly use _init, because the Glibc CRT (common runtime) stubs that will be linked into shared libraries, already do.
       void _init(void)
       {
                 xtables_register_match(&ipaddr_mt_reg);
       }
When iptables is built, this will expand to:
       void __attribute__((constructor)) libxt_ipaddr_init(void)
so you may not use the name libxt_ipaddr_init for other functions, or you will get an unfortunate compile error.
     In case you use the Xtables-addons framework, just directly write               static void _init(void)
i. e. with the static keyword and without the extra prototype above it, because modules are always compiled as shared library objects (.so) so no symbols need to be globally visible.

5.Target
Just like for matches, there is also a convention for targets. All it takes
is replacing the _mt part by _tg. While targets’ names are upper-case, symbols will remain lower-case.


--------------------------------
userspace:
   xtables.h: struct xtables_match  struct xtables_target
              xtables_register_match()
              xtables_register_target()

    1) static void _init(void)
       {
              xtables_register_match();
       }

    2) void __attribute__((constructor)) name_init(void)
       {
              xtables_register_match();
       }
               
kernel module:
   linux/netfilter/x_tables.h: xt_match    xt_target
              xt_(un)register_match();
              xt_(un)register_target();




阅读(969) | 评论(0) | 转发(0) |
0

上一篇:review-makefile-note

下一篇:note

给主人留下些什么吧!~~