- 论坛徽章:
- 0
|
近几天拜读了绿盟公司的一本书,里面有一段关于针对netfiter防火墙二次开发的例子,主要就是通过HOOT内核钩子对流入流出的数据进行包头状态判断并做出处理,但编译不能通过但又不能定位原因,此例程使用到了linux内核模块编程,请大家帮忙看看,例程如下:
#define _KERNEL_
#define MODULE
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/config.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/netfilter_ipv4.h>
#define ALERT(fmt,args...) printk("ns: " fmt,##args)
/* message will be print to screen,and logged to /var/log/message */
static unsigned int sample(unsigned int hooknum,struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,int(*okfn)(struct sk_buff*))
{
struct iphdr *iph;
struct tcphdr *tcph;
struct udphdr *udph;
_u32 sip;
_u32 dip;
_u16 sport;
_u16 dport;
iph=(*skb)->nh.iph;
sip=iph->saddr;
dip=iph->daddr;
/* play ip packet here
note:checksum has been checked,if connection track is enabled,defrag have been done*/
if(iph->ihl!=5){
ALERT("IP packet with packet from %d.%d.%d.%d to %d.%d.%d.%d\n",NIPQUAD(sip),NIPQUAD(dip));
}
if(iph->ihl==6){
tcph=(struct tcphdr*)((_u32 *)iph+iph->ihl);
sport=tcph->source;
dport=tcph->dest;
/*play tcp packet here*/
if((tcph->syn)&&(sport==dport)&&(sip==dip)){
ALERT("maybe land attack\n");
}
if(ntohs(tcph->dest)==139&&tcph->urg){
ALERT("maybe winnuke a from %d.%d.%d.%d to %d.%d.%d.%d\n",NIPQUAD(sip),NIPQUAD(dip));
}
if(tcph->ece&&tcph->cwr)
{
ALERT("queso from %d.%d.%d.%d to %d.%d.%d.%d\n",NIPQUAD(sip),NIPQUAD(dip));
}
if((tcph->fin)&&(tcph->syn)&&(!tcph->rst)&&(!tcph->psh)&&(!tcph->psh)&&(!tcph->ack)&&(!tcph->urg)){
ALERT("SF_scan from %d.%d.%d.%d to %d.%d.%d.%d\n",NIPQUAD(sip),NIPQUAD(dip));
}
if((tcph->fin)&&(tcph->syn)&&(tcph->rst)&&(tcph->psh)&&(tcph->ack)&&(tcph->urg)){
ALERT("NULL_scan from %d.%d.%d.%d to %d.%d.%d.%d\n",NIPQUAD(sip),NIPQUAD(dip));
}
if((tcph->fin)&&(!tcph->syn)&&(!tcph->rst)&&(tcph->psh)&&(!tcph->ack)&&(tcph->urg)){
ALERT("XMAS_scan(FPU) from %d.%d.%d.%d to %d.%d.%d.%d\n",NIPQUAD(sip),NIPQUAD(dip));
}
}
else if(iph->protocol==17){
udph=(struct udphdr *)((_u32 *)iph+iph->ihl);
sport=udph->source;
dport=udph->dest;
/*play udp packet here*/
}
else if(iph->protocol==1){
/*play icmp packet here*/
}
else if(iph->protocol==2){
ALERT("igmp packet from %d.%d.%d.%d to %d.%d.%d.%d\n",NIPQUAD(sip),NIPQUAD(dip));
/*play icmp packet here*/
}
else{
ALERT("unknown protocol%d packet from %d.%d.%d.%d to %d.%d.%d.%d\n",iph->protocol,NIPQUAD(sip),NIPQUAD(dip));
}
return NF_ACCEPT;
/*for it is IDS,we just accept all packet,if you really want to drop this skb,just return NF_DROP*/
}
static struct nf_hook_ops iplimitfilter={{NULL,NULL},sample,PF_INET,NF_IP_PRE_ROUTING,NF_IP_PRI_FILTER-1};
int init_module(void){
return nf_register_hook(&iplimitfilter);
}
void cleanup_module(void)
{
nf_unregister_hook(&iplimitfilter);
}
编译报错如下:(测试系统内核为2.4.31和2.4.21,报错相同)
[root@testroot]# gcc -c -O -g -Wall i_mod.c
In file included from /usr/include/linux/sched.h:14,
from /usr/include/linux/skbuff.h:19,
from i_mod.c:5:
/usr/include/linux/timex.h:173: field `time' has incomplete type
/usr/include/linux/timex.h:188: confused by earlier errors, bailing out |
|
免费注册
发表于 2006-05-05 23:01
