15-441 Computer Networking - PowerPoint PPT Presentation

About This Presentation
Title:

15-441 Computer Networking

Description:

Need mechanism to set firewalling/NAT rules in kernel from user space. ... How can we exploit Setsockopt() to configure NAT/firewalling rules in kernel? ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 13
Provided by: srinivas
Learn more at: http://www.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: 15-441 Computer Networking


1
15-441 Computer Networking
  • Project II question/answer session
  • October 18, 2001

2
Handin
  • Send me email listing group members.
  • Exact format described in project handout.
  • Execute cklog cs.cmu.edu.
  • Wait for confirmation email from me.
  • Test read/write access.
  • Hand in the following files
  • Source files
  • Makefile
  • Project report.
  • Make sure handin is correct!!

3
Progress Report
  • Who has IP layer running?
  • NAT/Firewall?
  • DHCP?

4
IP Header ip_output()
  • TCP and UDP layer already allocate space for the
    IP header in the pbuf.
  • Breaks layering.
  • Convenient.
  • Makes TCP/UDP checksumming easier.
  • p_data member of pbuf handed over to ip_output()
    points to allocated IP header.
  • Do not modify p_len, p_data,

5
IP Header ip_input()
  • TCP and UDP need access to the IP header.
  • Do not modify p_len, p_data, when handing packet
    over to upper layer.

6
Freeing pbufs()
  • ip_input()
  • Always takes over responsibility for freeing a
    packet when called from link layer.
  • TCP and UDP receive function will free packet
    unless port is unreachable.
  • ICMP receive function always frees packets.
  • ICMP send function takes over responsibility for
    freeing packet.
  • Note icmp_send() calls ip_output().

7
Freeing pbufs()
  • ip_output()
  • Always takes over responsibility for freeing a
    packet when called from transport layer.
  • Needs to free packet if error condition is
    detected and packet is not handed over to link
    layer.
  • Link layer takes over responsibility when calling
    if_start().

8
Setsockopt()
  • Need mechanism to set firewalling/NAT rules in
    kernel from user space.
  • Setsockopt(int s, int level, int optname, const
    void optval, int optlen)
  • First argument is routing socket.
  • Used for configuring routing table (and other).
  • Socket(AF_ROUTE, SOCK_RAW, 0)
  • Second and third argument determine kernel
    function to be called.
  • IPPROTO_IP/IP_FW_SET ? fw_setsockopt()
  • IPPROTO_IP/IP_NAT_SET ? nat_setsockopt()

9
Setsockopt()
  • Setsockopt(int s, int level, int optname, const
    void optval, int optlen)
  • Fourth argument is pointer to arbitrary data
    structure.
  • Fifth argument denotes length of this data
    structure.
  • Setsockopt()will copy data structure from user to
    kernel space, call requested function, and pass
    it pointer to copied data structure and its
    length.

10
Setsockopt()
  • How can we exploit Setsockopt() to configure
    NAT/firewalling rules in kernel?
  • Define data structures containing mapping or
    filtering rule
  • struct nat_rule
  • struct filter_rule
  • Pass pointer to it (and its length) to
    Setsockopt().
  • Setsockopt() will copy data structure to kernel
    space.
  • In fw_setsockopt()/nat_setsockopt(), cast const
    void pointer back to pointer to your data
    structure.
  • Parse new rule and add it to set of rules kept in
    kernel.

11
Miscellaneous
  • Initialize routing table with a default gateway
    before looking up route.
  • rttest utility.
  • Keep robustness of your code in mind, e.g.,
  • byte ordering,
  • checking for error/boundary conditions.
  • You can ignore next packet in pbuf packet queue
    (p_nextpkt).
  • Flag passed to ip_output() can be set to
    IP_FORWARDING (not to IP header flags!!).
  • Should be set when calling ip_output() from
    ip_forwarding().

12
Questions?
  • Read FAQ and bboard before sending email to TAs.
Write a Comment
User Comments (0)
About PowerShow.com