All of lore.kernel.org
 help / color / mirror / Atom feed
* Why this hook_func could not run correctly?
@ 2010-03-03 13:59 supercodeing35271 supercodeing35271
  2010-03-03 14:18 ` Jan Engelhardt
  0 siblings, 1 reply; 2+ messages in thread
From: supercodeing35271 supercodeing35271 @ 2010-03-03 13:59 UTC (permalink / raw)
  To: netfilter-devel

Hi,i am in trouble.what i do is that write a hook function which have
the same impression of the iptables's rules below:
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

this is my code:
#include <linux/module.h>	
#include <linux/kernel.h>	
#include <linux/init.h>		
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/ip.h>
#include <linux/tcp.h>
static struct nf_hook_ops nfho;
static struct tcphdr *tcp;
static unsigned int hook_func(unsigned int hooknum,
		       struct sk_buff *skb,
		       const struct net_device *in,
		       const struct net_device *out,
		       int (*okfn)(struct sk_buff *))
{
    if(skb->dev == out)
    {
	return NF_ACCEPT;
    }
    tcp = tcp_hdr(skb);
    if(tcp->syn == 1 && (tcp->fin == 1 || tcp->rst == 1))
    {
	printk("1drop1drop \n");
	return NF_DROP;
    }
    if(tcp->fin == 1 && (tcp->rst == 1 || tcp->ack == 0))
    {
	printk("2drop2drop \n");
	return NF_DROP;
    }
    if(tcp->ack == 0 && (tcp->psh == 1 || tcp->urg == 1))
    {
	printk("3drop3drop \n");
	return NF_DROP;
    }
    return NF_ACCEPT;
}
static int __init myfirewall_init(void)
{
    /* Fill in our hook structure */
    nfho.pf  = PF_INET;
    nfho.priority = 1;
    nfho.hooknum = NF_INET_PRE_ROUTING;
    nfho.hook = hook_func;
    nf_register_hook(&nfho);
    return 0;	
}
static void __exit myfirewall_exit(void)
{
    nf_unregister_hook(&nfho);
}
module_init(myfirewall_init);
module_exit(myfirewall_exit);

The iptables's rules is ok(which is found in the book <<Linux
Firewalls, Third Edition>>),the problem is that my code could not run
correctly in the kernel.When i insmod the code,the browser could not
open any site.
So who can tell me that where in my code is not right.........

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Why this hook_func could not run correctly?
  2010-03-03 13:59 Why this hook_func could not run correctly? supercodeing35271 supercodeing35271
@ 2010-03-03 14:18 ` Jan Engelhardt
  0 siblings, 0 replies; 2+ messages in thread
From: Jan Engelhardt @ 2010-03-03 14:18 UTC (permalink / raw)
  To: supercodeing35271 supercodeing35271; +Cc: netfilter-devel


On Wednesday 2010-03-03 14:59, supercodeing35271 supercodeing35271 wrote:
>
>this is my code:
>#include <linux/module.h>	
>#include <linux/kernel.h>	
>#include <linux/init.h>		
>#include <linux/netfilter.h>
>#include <linux/netfilter_ipv4.h>
>#include <linux/ip.h>
>#include <linux/tcp.h>
>static struct tcphdr *tcp;

This is terribly SMP-unsafe/racey.

>static unsigned int hook_func(unsigned int hooknum,
>		       struct sk_buff *skb,
>		       const struct net_device *in,
>		       const struct net_device *out,
>		       int (*okfn)(struct sk_buff *))
>{
>    if(skb->dev == out)
>    {
>	return NF_ACCEPT;
>    }
>    tcp = tcp_hdr(skb);

The packet might be fragmented, or incomplete. Thus you have a potential
access-beyond end-of-packet here.

>    if(tcp->syn == 1 && (tcp->fin == 1 || tcp->rst == 1))
>    {
>	printk("1drop1drop \n");
>	return NF_DROP;
>    }
>    if(tcp->fin == 1 && (tcp->rst == 1 || tcp->ack == 0))
>    {
>	printk("2drop2drop \n");
>	return NF_DROP;
>    }
>    if(tcp->ack == 0 && (tcp->psh == 1 || tcp->urg == 1))
>    {
>	printk("3drop3drop \n");
>	return NF_DROP;
>    }
>    return NF_ACCEPT;
>}
>static int __init myfirewall_init(void)
>{
>    /* Fill in our hook structure */
>    nfho.pf  = PF_INET;
>    nfho.priority = 1;
>    nfho.hooknum = NF_INET_PRE_ROUTING;
>    nfho.hook = hook_func;
>    nf_register_hook(&nfho);
>    return 0;	
>}
>static void __exit myfirewall_exit(void)
>{
>    nf_unregister_hook(&nfho);
>}
>module_init(myfirewall_init);
>module_exit(myfirewall_exit);
>
>The iptables's rules is ok(which is found in the book <<Linux
>Firewalls, Third Edition>>),the problem is that my code could not run
>correctly in the kernel.When i insmod the code,the browser could not
>open any site.
>So who can tell me that where in my code is not right.........

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-03-03 14:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-03 13:59 Why this hook_func could not run correctly? supercodeing35271 supercodeing35271
2010-03-03 14:18 ` Jan Engelhardt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.