* Why this hook_func could not run correctly?
@ 2010-03-03 13:59 supercodeing35271 supercodeing35271
2010-03-03 14:18 ` Jan Engelhardt
0 siblings, 1 reply; 2+ messages in thread
From: supercodeing35271 supercodeing35271 @ 2010-03-03 13:59 UTC (permalink / raw)
To: netfilter-devel
Hi,i am in trouble.what i do is that write a hook function which have
the same impression of the iptables's rules below:
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
this is my code:
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/ip.h>
#include <linux/tcp.h>
static struct nf_hook_ops nfho;
static struct tcphdr *tcp;
static unsigned int hook_func(unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
if(skb->dev == out)
{
return NF_ACCEPT;
}
tcp = tcp_hdr(skb);
if(tcp->syn == 1 && (tcp->fin == 1 || tcp->rst == 1))
{
printk("1drop1drop \n");
return NF_DROP;
}
if(tcp->fin == 1 && (tcp->rst == 1 || tcp->ack == 0))
{
printk("2drop2drop \n");
return NF_DROP;
}
if(tcp->ack == 0 && (tcp->psh == 1 || tcp->urg == 1))
{
printk("3drop3drop \n");
return NF_DROP;
}
return NF_ACCEPT;
}
static int __init myfirewall_init(void)
{
/* Fill in our hook structure */
nfho.pf = PF_INET;
nfho.priority = 1;
nfho.hooknum = NF_INET_PRE_ROUTING;
nfho.hook = hook_func;
nf_register_hook(&nfho);
return 0;
}
static void __exit myfirewall_exit(void)
{
nf_unregister_hook(&nfho);
}
module_init(myfirewall_init);
module_exit(myfirewall_exit);
The iptables's rules is ok(which is found in the book <<Linux
Firewalls, Third Edition>>),the problem is that my code could not run
correctly in the kernel.When i insmod the code,the browser could not
open any site.
So who can tell me that where in my code is not right.........
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Why this hook_func could not run correctly?
2010-03-03 13:59 Why this hook_func could not run correctly? supercodeing35271 supercodeing35271
@ 2010-03-03 14:18 ` Jan Engelhardt
0 siblings, 0 replies; 2+ messages in thread
From: Jan Engelhardt @ 2010-03-03 14:18 UTC (permalink / raw)
To: supercodeing35271 supercodeing35271; +Cc: netfilter-devel
On Wednesday 2010-03-03 14:59, supercodeing35271 supercodeing35271 wrote:
>
>this is my code:
>#include <linux/module.h>
>#include <linux/kernel.h>
>#include <linux/init.h>
>#include <linux/netfilter.h>
>#include <linux/netfilter_ipv4.h>
>#include <linux/ip.h>
>#include <linux/tcp.h>
>static struct tcphdr *tcp;
This is terribly SMP-unsafe/racey.
>static unsigned int hook_func(unsigned int hooknum,
> struct sk_buff *skb,
> const struct net_device *in,
> const struct net_device *out,
> int (*okfn)(struct sk_buff *))
>{
> if(skb->dev == out)
> {
> return NF_ACCEPT;
> }
> tcp = tcp_hdr(skb);
The packet might be fragmented, or incomplete. Thus you have a potential
access-beyond end-of-packet here.
> if(tcp->syn == 1 && (tcp->fin == 1 || tcp->rst == 1))
> {
> printk("1drop1drop \n");
> return NF_DROP;
> }
> if(tcp->fin == 1 && (tcp->rst == 1 || tcp->ack == 0))
> {
> printk("2drop2drop \n");
> return NF_DROP;
> }
> if(tcp->ack == 0 && (tcp->psh == 1 || tcp->urg == 1))
> {
> printk("3drop3drop \n");
> return NF_DROP;
> }
> return NF_ACCEPT;
>}
>static int __init myfirewall_init(void)
>{
> /* Fill in our hook structure */
> nfho.pf = PF_INET;
> nfho.priority = 1;
> nfho.hooknum = NF_INET_PRE_ROUTING;
> nfho.hook = hook_func;
> nf_register_hook(&nfho);
> return 0;
>}
>static void __exit myfirewall_exit(void)
>{
> nf_unregister_hook(&nfho);
>}
>module_init(myfirewall_init);
>module_exit(myfirewall_exit);
>
>The iptables's rules is ok(which is found in the book <<Linux
>Firewalls, Third Edition>>),the problem is that my code could not run
>correctly in the kernel.When i insmod the code,the browser could not
>open any site.
>So who can tell me that where in my code is not right.........
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-03-03 14:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-03 13:59 Why this hook_func could not run correctly? supercodeing35271 supercodeing35271
2010-03-03 14:18 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.