15-441 Computer Networking - PowerPoint PPT Presentation
Title:
15-441 Computer Networking
Description:
Need mechanism to set firewalling/NAT rules in kernel from user space. ... How can we exploit Setsockopt() to configure NAT/firewalling rules in kernel? ... – PowerPoint PPT presentation
Number of Views:28
Avg rating:3.0/5.0
Title: 15-441 Computer Networking
1
15-441 Computer Networking
- Project II question/answer session
- October 18, 2001
2
Handin
- Send me email listing group members.
- Exact format described in project handout.
- Execute cklog cs.cmu.edu.
- Wait for confirmation email from me.
- Test read/write access.
- Hand in the following files
- Source files
- Makefile
- Project report.
- Make sure handin is correct!!
3
Progress Report
- Who has IP layer running?
- NAT/Firewall?
- DHCP?
4
IP Header ip_output()
- TCP and UDP layer already allocate space for the
IP header in the pbuf. - Breaks layering.
- Convenient.
- Makes TCP/UDP checksumming easier.
- p_data member of pbuf handed over to ip_output()
points to allocated IP header. - Do not modify p_len, p_data,
5
IP Header ip_input()
- TCP and UDP need access to the IP header.
- Do not modify p_len, p_data, when handing packet
over to upper layer.
6
Freeing pbufs()
- ip_input()
- Always takes over responsibility for freeing a
packet when called from link layer. - TCP and UDP receive function will free packet
unless port is unreachable. - ICMP receive function always frees packets.
- ICMP send function takes over responsibility for
freeing packet. - Note icmp_send() calls ip_output().
7
Freeing pbufs()
- ip_output()
- Always takes over responsibility for freeing a
packet when called from transport layer. - Needs to free packet if error condition is
detected and packet is not handed over to link
layer. - Link layer takes over responsibility when calling
if_start().
8
Setsockopt()
- Need mechanism to set firewalling/NAT rules in
kernel from user space. - Setsockopt(int s, int level, int optname, const
void optval, int optlen) - First argument is routing socket.
- Used for configuring routing table (and other).
- Socket(AF_ROUTE, SOCK_RAW, 0)
- Second and third argument determine kernel
function to be called. - IPPROTO_IP/IP_FW_SET ? fw_setsockopt()
- IPPROTO_IP/IP_NAT_SET ? nat_setsockopt()
9
Setsockopt()
- Setsockopt(int s, int level, int optname, const
void optval, int optlen) - Fourth argument is pointer to arbitrary data
structure. - Fifth argument denotes length of this data
structure. - Setsockopt()will copy data structure from user to
kernel space, call requested function, and pass
it pointer to copied data structure and its
length.
10
Setsockopt()
- How can we exploit Setsockopt() to configure
NAT/firewalling rules in kernel? - Define data structures containing mapping or
filtering rule - struct nat_rule
- struct filter_rule
- Pass pointer to it (and its length) to
Setsockopt(). - Setsockopt() will copy data structure to kernel
space. - In fw_setsockopt()/nat_setsockopt(), cast const
void pointer back to pointer to your data
structure. - Parse new rule and add it to set of rules kept in
kernel.
11
Miscellaneous
- Initialize routing table with a default gateway
before looking up route. - rttest utility.
- Keep robustness of your code in mind, e.g.,
- byte ordering,
- checking for error/boundary conditions.
- You can ignore next packet in pbuf packet queue
(p_nextpkt). - Flag passed to ip_output() can be set to
IP_FORWARDING (not to IP header flags!!). - Should be set when calling ip_output() from
ip_forwarding().
12
Questions?
- Read FAQ and bboard before sending email to TAs.
Recommended
CrystalGraphics Presentations
