SOCK_RAW和PF_PACKET及其应用-随风去-ChinaUnix博客

随风去的ChinaUnix博客

首页　| 　博文目录　| 　关于我

随风去

博客访问： 85706
博文数量： 15
博客积分： 0
博客等级：民兵
技术积分： 210
用户组：普通用户
注册时间： 2014-01-05 15:27

文章分类

全部博文（15）

mesos（0）
linux 网络（15）
未分配的博文（0）

文章存档

2014年（15）

我的朋友

相关博文

SOCK_RAW和PF_PACKET及其应用

分类： LINUX

2014-04-19 18:21:16

SOCK_RAW给了用户更大的主动性，可以自己构造L4甚至L3的头，直接和内核进行交互，略过上层的协议栈，如ping命令：

socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = 3

看下面这个例子：

int sockfd;
struct sockaddr_in addr;
char sendbuf[2048];
char recvbuf[2048];
int datalen = 56;
unsigned short my_cksum(unsigned short *data, int len) { //校验算法
int result = 0;
int i;
for(i=0; i<len/2; i++) {
result += *data;
data++;
}
while(result >> 16)result = (result&0xffff) + (result>>16);
return ~result;
}
void send_icmp() {
struct icmp* icmp = (struct icmp*)sendbuf;
int len = 8+datalen;//长度为L4的头加上负载
icmp->icmp_type = ICMP_ECHO;
icmp->icmp_code = 0;
icmp->icmp_cksum = my_cksum((unsigned short*)icmp, len); //校验值，如果校验值错误的话，不影响发送，但是不会有响应报文
int retval = sendto(sockfd, sendbuf, len, 0, (struct sockaddr*)&addr,sizeof(addr));
printf("send %d\n",retval);
}
void recv_icmp() {
for(;;) {
int len = recvfrom(sockfd, recvbuf, sizeof(recvbuf), 0, 0, 0);
printf("recv len=%d\n",len); //接收到的数据为L3+L4+负载
}
}
int main(int argc, char **argv)
{
int ret;
sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
ret=inet_pton(AF_INET, argv[1], &addr.sin_addr); //初始化目的地址
send_icmp();
recv_icmp();
return 0;
}

运行一次输出结果如下：

root@pavel:/home/pavel# ./3 192.168.1.1
send 64
recv len=84

tcpdump抓的数据如下：

21:42:22.501278 IP 192.168.1.105 > 192.168.1.1: ICMP echo request, id 0, seq 0, length 64
0x0000: 0023 cd5b ead6 8056 f2db 2f7b 0800 4500
0x0010: 0054 18a5 4000 4001 9e49 c0a8 0169 c0a8
0x0020: 0101 0800 f7ff 0000 0000 0000 0000 0000
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000
0x0060: 0000
21:42:22.731070 IP 192.168.1.1 > 192.168.1.105: ICMP echo reply, id 0, seq 0, length 64
0x0000: 8056 f2db 2f7b 0023 cd5b ead6 0800 4500
0x0010: 0054 8460 4000 4001 328e c0a8 0101 c0a8
0x0020: 0169 0000 ffff 0000 0000 0000 0000 0000
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000
0x0060: 0000

可以看到上述代码基本完成了类似ping的功能
SOCK_RAW除了用户可以构造L4的头，甚至L3的头，还可以用开监听接收报文。同样的刚才的那个程序，如果单独运行的话，只发送一次，接收打印一次，然后就等待，如果此时在开另外一个窗口运行：ping 192.168.1.1的话，刚才的程序同样可以接收到响应这个ping命令的报文。
这个主要是在函数ip_local_deliver_finish中实现的，该函数在调用真正的L4层注册的协议前调用了函数raw_local_deliver：

int raw_local_deliver(struct sk_buff *skb, int protocol)
{
int hash;
struct sock *raw_sk;
hash = protocol & (RAW_HTABLE_SIZE - 1);
raw_sk = sk_head(&raw_v4_hashinfo.ht[hash]);
/* If there maybe a raw socket we must check - if not we
* don't care less
*/
if (raw_sk && !raw_v4_input(skb, ip_hdr(skb), hash))
raw_sk = NULL;
return raw_sk != NULL;
}

static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash)
{
struct sock *sk;
struct hlist_head *head;
int delivered = 0;
struct net *net;
read_lock(&raw_v4_hashinfo.lock);
head = &raw_v4_hashinfo.ht[hash];
if (hlist_empty(head))
goto out;
net = dev_net(skb->dev);
sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol,
iph->saddr, iph->daddr,
skb->dev->ifindex);
while (sk) {
delivered = 1;
if (iph->protocol != IPPROTO_ICMP || !icmp_filter(sk, skb)) {
struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC);
/* Not releasing hash */
if (clone)
raw_rcv(sk, clone);
}
sk = __raw_v4_lookup(net, sk_next(sk), iph->protocol, //循环调用，直到遍历完，因此如果多开几个测试程序，然后运行ping命令的话
iph->saddr, iph->daddr, //所有的测试程序都能接收到reply报文
skb->dev->ifindex);
}
out:
read_unlock(&raw_v4_hashinfo.lock);
return delivered;
}

符合条件的每一个sock都会调用raw_rcv：

int raw_rcv(struct sock *sk, struct sk_buff *skb)
{
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
atomic_inc(&sk->sk_drops);
kfree_skb(skb);
return NET_RX_DROP;
}
nf_reset(skb);
skb_push(skb, skb->data - skb_network_header(skb));//从这里可以看到接收到的报文是包含L3的头的，但是不包含L2的头
//要获取L2的头的话，需要使用PF_PACKET
raw_rcv_skb(sk, skb);
return 0;
}

系统中raw相关的信息可以通过proc查到，下面这个是开了两个测试程序以及一个ping命令后的结果：

pavel@pavel:~$ cat /proc/net/raw
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops
1: 00000000:0001 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 200182 2 0000000000000000 0
1: 00000000:0001 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 190496 2 0000000000000000 0
1: 00000000:0001 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 180978 2 0000000000000000 0

SOCK_RAW同样可以从驱动层直接获取报文，因此可以用于网络包的分析，如tcpdump命令，不过需要和PF_PACKET一起：

socket(PF_PACKET, SOCK_RAW, 768) = 3 //ETH_P_ALL

先看一下tcpdump相关的内容，看tcpdump是如何实现的，试着写一个类似的程序：
PF_PACKET的初始化如下：

static int __init packet_init(void)
{
int rc = proto_register(&packet_proto, 0);
if (rc != 0)
goto out;
sock_register(&packet_family_ops);
register_pernet_subsys(&packet_net_ops);
register_netdevice_notifier(&packet_netdev_notifier);
out:
return rc;
}

相应的数据结构：

static struct proto packet_proto = {
.name = "PACKET",
.owner = THIS_MODULE,
.obj_size = sizeof(struct packet_sock),
};
static const struct net_proto_family packet_family_ops = {
.family = PF_PACKET,
.create = packet_create,
.owner = THIS_MODULE,
};
static struct pernet_operations packet_net_ops = {
.init = packet_net_init,
.exit = packet_net_exit,
};

static const struct proto_ops packet_ops = {
.family = PF_PACKET,
.owner = THIS_MODULE,
.release = packet_release,
.bind = packet_bind,
.connect = sock_no_connect,
.socketpair = sock_no_socketpair,
.accept = sock_no_accept,
.getname = packet_getname,
.poll = packet_poll,
.ioctl = packet_ioctl,
.listen = sock_no_listen,
.shutdown = sock_no_shutdown,
.setsockopt = packet_setsockopt,
.getsockopt = packet_getsockopt,
.sendmsg = packet_sendmsg,
.recvmsg = packet_recvmsg,
.mmap = packet_mmap,
.sendpage = sock_no_sendpage,
};

socket系统调用分配struct socket数据结构，赋值分量：

sock->type = type; //SOCK_RAW

然后调用packet_create，初始化相应的分量：

static int packet_create(struct net *net, struct socket *sock, int protocol,
int kern)
{
struct sock *sk;
struct packet_sock *po;
__be16 proto = (__force __be16)protocol; /* weird, but documented */ //ETH_P_ALL
int err;
if (!capable(CAP_NET_RAW))
return -EPERM;
if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW &&
sock->type != SOCK_PACKET)
return -ESOCKTNOSUPPORT;
sock->state = SS_UNCONNECTED;
err = -ENOBUFS;
sk = sk_alloc(net, PF_PACKET, GFP_KERNEL, &packet_proto);
if (sk == NULL)
goto out;
sock->ops = &packet_ops;
if (sock->type == SOCK_PACKET) //SOCK_RAW
sock->ops = &packet_ops_spkt;
sock_init_data(sock, sk);
po = pkt_sk(sk);
sk->sk_family = PF_PACKET;
po->num = proto;
sk->sk_destruct = packet_sock_destruct;
sk_refcnt_debug_inc(sk);
/*
* Attach a protocol block
*/
spin_lock_init(&po->bind_lock);
mutex_init(&po->pg_vec_lock);
po->prot_hook.func = packet_rcv;
if (sock->type == SOCK_PACKET)
po->prot_hook.func = packet_rcv_spkt;
po->prot_hook.af_packet_priv = sk;
if (proto) {
po->prot_hook.type = proto;
register_prot_hook(sk); //注册当前packet_type到ptype_all链表中，这样接收的时候可以触发相应的接收函数
}
spin_lock_bh(&net->packet.sklist_lock);
sk_add_node_rcu(sk, &net->packet.sklist);
sock_prot_inuse_add(net, &packet_proto, 1);
spin_unlock_bh(&net->packet.sklist_lock);
return 0;
out:
return err;
}

利用上述的socket类型，很容易获取到一个完整的数据包：

int main(int argc, char **argv) {
int sock, n;
char buffer[LENGTH];
unsigned char *iphead, *ethhead;
if ( (sock=socket(PF_PACKET, SOCK_RAW,htons(ETH_P_ALL)))<0) {
perror("socket");
return -1;
}
while (1) {
int i;
n = recvfrom(sock,buffer,LENGTH,0,NULL,NULL);
printf("%d bytes read \n",n);
for(i=0;i<n;i++)
printf("%x ",buffer[i]);
printf("\n");
}
}

其中一次的接收数据如下：

98 bytes read //64+L3+L2
ffffff80 56 fffffff2 ffffffdb 2f 7b 0 23 ffffffcd 5b ffffffea ffffffd6 8 0 45 0 0 54 78 ffffffea 40 0 40 1 3e 4 ffffffc0 ffffffa8 1 1 ffffffc0 ffffffa8 1 69 0 0 3b 33 24 30 0 1 40 38 52 53 0 0 0 0 4d 3d 2 0 0 0 0 0 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37

对应的tcpdump输出如下：

16:48:00.177672 IP 192.168.1.1 > 192.168.1.105: ICMP echo reply, id 9264, seq 1, length 64
0x0000: 8056 f2db 2f7b 0023 cd5b ead6 0800 4500
0x0010: 0054 78ea 4000 4001 3e04 c0a8 0101 c0a8
0x0020: 0169 0000 3b33 2430 0001 4038 5253 0000
0x0030: 0000 4d3d 0200 0000 0000 1011 1213 1415
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
0x0060: 3637

可以看到两者完全对应。

我们知道在函数__netif_receive_skb中会把根据收到的包的类型，调用不同的L3注册的函数，其中涉及ptype_all和ptype_base两个数据结构。
默认情况下如下：

Type Device Function
0800 ip_rcv
0011 llc_rcv [llc]
0004 llc_rcv [llc]
0806 arp_rcv
86dd ipv6_rcv

运行测试程序如下：

Type Device Function
ALL packet_rcv //增加了这一样，意味着所有的包都会增加调用这个函数的一步，register_prot_hook函数完成
0800 ip_rcv
0011 llc_rcv [llc]
0004 llc_rcv [llc]
0806 arp_rcv
86dd ipv6_rcv

tcpdump运行后的输出如下：

Type Device Function
ALL eth0 tpacket_rcv //tcpdump增加了PACKET_RX_RING的设置
0800 ip_rcv
0011 llc_rcv [llc]
0004 llc_rcv [llc]
0806 arp_rcv

static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
struct packet_type *pt, struct net_device *orig_dev)
{
struct sock *sk;
struct sockaddr_ll *sll;
struct packet_sock *po;
u8 *skb_head = skb->data;
int skb_len = skb->len;
unsigned int snaplen, res;
if (skb->pkt_type == PACKET_LOOPBACK)
goto drop;
sk = pt->af_packet_priv; //packet_create的时候赋值
po = pkt_sk(sk);
if (!net_eq(dev_net(dev), sock_net(sk)))
goto drop;
skb->dev = dev;
if (dev->header_ops) {
/* The device has an explicit notion of ll header,
* exported to higher levels.
*
* Otherwise, the device hides details of its frame
* structure, so that corresponding packet head is
* never delivered to user.
*/
if (sk->sk_type != SOCK_DGRAM) //L2头在驱动程序中pull了，因此这里push，使得用于可以接收到L2头的数据
skb_push(skb, skb->data - skb_mac_header(skb));
else if (skb->pkt_type == PACKET_OUTGOING) {
/* Special case: outgoing packets have ll header at head */
skb_pull(skb, skb_network_offset(skb));
}
}
snaplen = skb->len;
res = run_filter(skb, sk, snaplen);
if (!res)
goto drop_n_restore;
if (snaplen > res)
snaplen = res;
if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
(unsigned)sk->sk_rcvbuf)
goto drop_n_acct;
if (skb_shared(skb)) {
struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
if (nskb == NULL)
goto drop_n_acct;
if (skb_head != skb->data) {
skb->data = skb_head;
skb->len = skb_len;
}
kfree_skb(skb);
skb = nskb;
}
BUILD_BUG_ON(sizeof(*PACKET_SKB_CB(skb)) + MAX_ADDR_LEN - 8 >
sizeof(skb->cb));
sll = &PACKET_SKB_CB(skb)->sa.ll;
sll->sll_family = AF_PACKET;
sll->sll_hatype = dev->type;
sll->sll_protocol = skb->protocol;
sll->sll_pkttype = skb->pkt_type;
if (unlikely(po->origdev))
sll->sll_ifindex = orig_dev->ifindex;
else
sll->sll_ifindex = dev->ifindex;
sll->sll_halen = dev_parse_header(skb, sll->sll_addr);
PACKET_SKB_CB(skb)->origlen = skb->len;
if (pskb_trim(skb, snaplen))
goto drop_n_acct;
skb_set_owner_r(skb, sk);
skb->dev = NULL;
skb_dst_drop(skb);
/* drop conntrack reference */
nf_reset(skb);
spin_lock(&sk->sk_receive_queue.lock);
po->stats.tp_packets++;
skb->dropcount = atomic_read(&sk->sk_drops);
__skb_queue_tail(&sk->sk_receive_queue, skb); //和其他socket类型不同是不处理L3以及L4的头，直接把原始数据传给用户态
spin_unlock(&sk->sk_receive_queue.lock);
sk->sk_data_ready(sk, skb->len);
return 0;
drop_n_acct:
spin_lock(&sk->sk_receive_queue.lock);
po->stats.tp_drops++;
atomic_inc(&sk->sk_drops);
spin_unlock(&sk->sk_receive_queue.lock);
drop_n_restore:
if (skb_head != skb->data && skb_shared(skb)) {
skb->data = skb_head;
skb->len = skb_len;
}
drop:
consume_skb(skb);
return 0;
}

总结：
1）tcpdump的原理是利用PF_PACKET类型的socket类型，在ptype_all链表中增加处理函数，使得所有进来的包都能捕捉到
2）PF_PACKET对应的收包函数不处理L3和L4的头，因此用户可以得到完全原始的数据，包括L2、L3以及L4的头

混杂模式，默认情况下网卡只是接收发给自己或者组播、广播的报文，对于发给其他MAC地址的报文，硬件上就直接丢弃了。为了更好的监听网络信息，需要获取这些报文，这个可以通过把网卡设成混杂模式实现。
一般运行tcpdump后会打印：device eth* entered promiscuous mode
用户态程序通过ioctl可以实现：

struct ifreq ethreq;
strncpy(ethreq.ifr_name,"eth1",IFNAMSIZ);
if (ioctl(sock,SIOCGIFFLAGS,&ethreq)==-1) {
perror("ioctl");
close(sock);
return -1;
}
ethreq.ifr_flags |= IFF_PROMISC;
if (ioctl(sock,SIOCSIFFLAGS,&ethreq)==-1) {
perror("ioctl");
close(sock);
return -1;
}

内核的调用流程如下：

[ 144.165484] [<ffffffff815e0af7>] __dev_set_rx_mode+0x57/0xa0
[ 144.165486] [<ffffffff815e0b66>] dev_set_rx_mode+0x26/0x40
[ 144.165489] [<ffffffff815e0d27>] dev_set_promiscuity+0x37/0x50
[ 144.165491] [<ffffffff815e0f01>] __dev_change_flags+0xd1/0x170
[ 144.165494] [<ffffffff815e104d>] dev_change_flags+0x1d/0x60
[ 144.165499] [<ffffffff81644463>] devinet_ioctl+0x693/0x790
[ 144.165502] [<ffffffff8164523d>] inet_ioctl+0x6d/0xa0
[ 144.165504] [<ffffffff8169c6f1>] packet_ioctl+0xc1/0x150
[ 144.165508] [<ffffffff815c4ff5>] sock_do_ioctl+0x25/0x50
[ 144.165510] [<ffffffff815c5438>] sock_ioctl+0x1c8/0x280
[ 144.165513] [<ffffffff811b75c5>] do_vfs_ioctl+0x2e5/0x4d0

__dev_set_rx_mode会调用驱动的ndo_set_rx_mode或者ndo_set_multicast_list函数，r8169驱动注册的钩子函数如下：

static void rtl_set_rx_mode(struct net_device *dev)
{
struct rtl8169_private *tp = netdev_priv(dev);
void __iomem *ioaddr = tp->mmio_addr;
unsigned long flags;
u32 mc_filter[2]; /* Multicast hash filter */
int rx_mode;
u32 tmp = 0;
if (dev->flags & IFF_PROMISC) {
/* Unconditionally log net taps. */
netif_notice(tp, link, dev, "Promiscuous mode enabled\n");
rx_mode =
AcceptBroadcast | AcceptMulticast | AcceptMyPhys |
AcceptAllPhys; //混杂模式下接收所有报文
mc_filter[1] = mc_filter[0] = 0xffffffff;
} else if ((netdev_mc_count(dev) > multicast_filter_limit) ||
(dev->flags & IFF_ALLMULTI)) {
/* Too many to filter perfectly -- accept all multicasts. */
rx_mode = AcceptBroadcast | AcceptMulticast | AcceptMyPhys;
mc_filter[1] = mc_filter[0] = 0xffffffff;
} else {
struct netdev_hw_addr *ha;
rx_mode = AcceptBroadcast | AcceptMyPhys;
mc_filter[1] = mc_filter[0] = 0;
netdev_for_each_mc_addr(ha, dev) {
int bit_nr = ether_crc(ETH_ALEN, ha->addr) >> 26;
mc_filter[bit_nr >> 5] |= 1 << (bit_nr & 31);
rx_mode |= AcceptMulticast;
}
}
spin_lock_irqsave(&tp->lock, flags);
tmp = (RTL_R32(RxConfig) & ~RX_CONFIG_ACCEPT_MASK) | rx_mode;
if (tp->mac_version > RTL_GIGA_MAC_VER_06) {
u32 data = mc_filter[0];
mc_filter[0] = swab32(mc_filter[1]);
mc_filter[1] = swab32(data);
}
RTL_W32(MAR0 + 4, mc_filter[1]);
RTL_W32(MAR0 + 0, mc_filter[0]);
RTL_W32(RxConfig, tmp);
spin_unlock_irqrestore(&tp->lock, flags);
}

其中变量定义如下：

AcceptErr = 0x20,
AcceptRunt = 0x10,
AcceptBroadcast = 0x08,
AcceptMulticast = 0x04,
AcceptMyPhys = 0x02,
AcceptAllPhys = 0x01,

对照芯片手册，比较清楚的可以知道上述的含义，就是写相关的硬件寄存器，让其接收所有的报文。

看一下发送的数据包是如何捕捉到的：

int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
struct netdev_queue *txq)
{
const struct net_device_ops *ops = dev->netdev_ops;
int rc = NETDEV_TX_OK;
unsigned int skb_len;
if (likely(!skb->next)) {
u32 features;
/*
* If device doesn't need skb->dst, release it right now while
* its hot in this cpu cache
*/
if (dev->priv_flags & IFF_XMIT_DST_RELEASE)
skb_dst_drop(skb);
if (!list_empty(&ptype_all))
dev_queue_xmit_nit(skb, dev); //调用钩子函数
...
}

static void dev_queue_xmit_nit(struct sk_buff *skb, struct net_device *dev)
{
struct packet_type *ptype;
struct sk_buff *skb2 = NULL;
struct packet_type *pt_prev = NULL;
rcu_read_lock();
list_for_each_entry_rcu(ptype, &ptype_all, list) {
/* Never send packets back to the socket
* they originated from - MvS (miquels@drinkel.ow.org)
*/
if ((ptype->dev == dev || !ptype->dev) &&
(ptype->af_packet_priv == NULL ||
(struct sock *)ptype->af_packet_priv != skb->sk)) {
if (pt_prev) {
deliver_skb(skb2, pt_prev, skb->dev);
pt_prev = ptype;
continue;
}
skb2 = skb_clone(skb, GFP_ATOMIC);
if (!skb2)
break;
net_timestamp_set(skb2);
/* skb->nh should be correctly
set by sender, so that the second statement is
just protection against buggy protocols.
*/
skb_reset_mac_header(skb2);
if (skb_network_header(skb2) < skb2->data ||
skb2->network_header > skb2->tail) {
if (net_ratelimit())
printk(KERN_CRIT "protocol %04x is "
"buggy, dev %s\n",
ntohs(skb2->protocol),
dev->name);
skb_reset_network_header(skb2);
}
skb2->transport_header = skb2->network_header;
skb2->pkt_type = PACKET_OUTGOING;
pt_prev = ptype;
}
}
if (pt_prev)
pt_prev->func(skb2, skb->dev, pt_prev, skb->dev);
rcu_read_unlock();
}

发送的流程调用的是和接收流程一样的函数。

阅读(10149) | 评论(0) | 转发(0) |

上一篇：NAPI

下一篇：没有了

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6