12.1. comparativa modelos paloalto networks

Proyecto Fin de Carrera Departamento de Ingenierıa Telematica

12. Anexos

12.1. Comparativa modelos paloalto networks

139


140


141


142


143


12.2. Configuracion de un Virtual Switch en VMware ESXi

Figura 54: Configuracion un Virtual Switch: Paso 1


144




145




146


12.3. install ndpi.sh

#!/bin /bash

KERNEL VERSION=$ (uname −r )

# L i b r e r i a s y a c t u a l i z a c i o n e s p r ev i a s

yum i n s t a l l vimyum i n s t a l l svnyum i n s t a l l g i tyum i n s t a l l unzipyum i n s t a l l z ipyum i n s t a l l gccyum i n s t a l l ncurses−deve lyum i n s t a l l i p t ab l e s−deve lyum i n s t a l l kerne l−deve lyum i n s t a l l l ibmnl−deve lyum i n s t a l l automakeyum i n s t a l l l i b t o o lyum i n s t a l l l i b t o o l−l t d l−deve l

# In s t a l a c i o n nDPI (manual )# Nota : se compila con http . c o r i g i n a l

cd / usr / s r c / redBorder−ndpi /nDPI. / c on f i gu r e −−with−p i c −−p r e f i x=/opt/ rb−−s b i nd i r=/opt/ rb/bin −−exec−p r e f i x=/opt/ rbmakemake i n s t a l l

# I n s t a l a c i o n de l modulo para n e t f i l t e r# Nota : se compila con http . c modi f icado s t r t o k r

cp −R . . / http . c / usr / s r c / redBorder−ndpi /nDPI/ s r c / l i b / p r o t o c o l s /cd / usr / s r c / redBorder−ndpi /nDPI/ndpi−n e t f i l t e r /ndpi−n e t f i l t e r −masterLANG=C NDPI PATH=/usr / s r c / redBorder−ndpi /nDPI make#make modu l e s i n s t a l lcp i p t / l i b x t ndp i . so / l i b / x tab l e scp i p t / l i b x t ndp i . so / l i b / xtab le s −1.4 .7cp −R sr c / xt ndpi . ko . unsigned / l i b /modules/${KERNEL VERSION}/ ext ra / xt ndpi . kodepmod −amodprobe xt ndpis e r v i c e i p t a b l e s r e s t a r t

147


12.4. redBorder-ndpi-source.sh

#!/bin /bash

######## Fi r s t o f a l l make sure to update theke rne l to the l a t e s t v e r s i on

KERNEL VERSION=$ (uname −r | sed ” s / . i 686 //”)

######## Prepare and compi le k e rne l s ou r c e s and i n s e r tredBorder−ndpi f i l e s ########

# Gathering l i b r a r i e s to bu i ld the ke rne l p roper lyyum i n s t a l l rng−t o o l s . i 686yum i n s t a l l rpm−bu i ld redhat−rpm−c on f i g un ide fyum i n s t a l l gcc p a t c hu t i l s xmlto a s c i i d o ce l f u t i l s − l i b e l f −deve l e l f u t i l s −deve l z l i b−deve lb i nu t i l s−deve l newt−deve l python−deve l audit−l i b s−deve lb i son f l e x hmaccalc per l−ExtUti l s−Embed

# Download l a s t k e rne l s ou r c e s from the o f f i c i a l webs i tecdwget http :// vau l t . centos . org /6 .5/ updates /Source /SPackages/ kerne l−${KERNEL VERSION} . s r c . rpm

# I n s t a l l rpm packet downloadedrpm −ivh kerne l−${KERNEL VERSION} . s r c . rpm

# Before we s ta r t , the re i s need to makesystem to gen gpg key by rng−t o o l srngd −r /dev/urandom

# Prepare ke rne l s ou r c e scdcd rpmbuild/SPECSrpmbuild −bp ke rne l . spec

# Moving sour c e s to / usr / s r c and compi l ing source codecp −R / root / rpmbuild/BUILD/ kerne l−${KERNEL VERSION}/ l inux−${KERNEL VERSION} . i 686 / usr / s r c /cd / usr / s r c / l inux−${KERNEL VERSION} . i 686 /make

# Replace ke rne l f i l e s and compi le i tcdcd p r o j e c t / redBorder−ndpi / l inux−${KERNEL VERSION} . i 686ln −s / usr / s r c / l inux−${KERNEL VERSION} . i 686 // usr / s r c / l inux−dp i p r o j e c tchmod u+x i n s e r t k e r n e l f i l e s . sh

148


. / i n s e r t k e r n e l f i l e s . sh

######## Prepare and compi le i p t a b l e s s ou r c e sand i n s e r t redBorder−ndpi f i l e s ########

# Gett ing the source code and a l l o c a t i n g i t proper lycdwget http :// f tp . n e t f i l t e r . org /pub/i p t a b l e s / i p t ab l e s −1 . 4 . 7 . t a r . bz2ta r xvf i p t ab l e s −1 . 4 . 7 . ta r . bz2mv ip t ab l e s −1.4.7/ / usr / s r c

# Compiling and patching i p t a b l e scdcd p r o j e c t / redBorder−ndpi / i p t ab l e s −1.4.7/chmod u+x i n s e r t i p t a b l e s f i l e s . sh. / i n s e r t i p t a b l e s f i l e s . shcd / usr / s r c / i p t ab l e s −1.4.7/. / c on f i gu r emakemake i n s t a l l. / copy new l ibxt . sh

######## Prepare and compi le redBorder−ndpi ########

# Al l o ca t i ng source code proper lymkdir / usr / s r c / redBorder−ndpicp −R nDPI/ / usr / s r c / redBorder−ndpi /cp −R http . c / usr / s r c / redBorder−ndpi

# I n s t a l l i n g patched nDPIcd / usr / s r c / redBorder−ndpi /nDPI/chmod u+x i n s t a l l n d p i . sh. / i n s t a l l n d p i . sh

149


12.5. xt l7state.c

#inc lude <l i nux /module . h>#inc lude <l i nux / skbu f f . h>#inc lude <net / n e t f i l t e r / n f connt rack . h>#inc lude <l i nux / n e t f i l t e r / x t ab l e s . h>#inc lude <l i nux / n e t f i l t e r / x t l 7 s t a t e . h>

MODULE LICENSE(”GPL” ) ;MODULEAUTHOR(” Se rg i o Mi l lan Rodriguez<sermi lrod@gmai l . com>”);MODULE DESCRIPTION(” ip [ 6 ] t a b l e s connect iont rack ing s t a t e match module f o r l a y e r 7 ” ) ;MODULE ALIAS(” i p t l 7 s t a t e ” ) ;MODULE ALIAS(” i p 6 t l 7 s t a t e ” ) ;

s t a t i c bool l 7 s t a t e c h e c k l 7 s t a t e( unsigned i n t l 7 s t a t e s , const s t r u c t nf conn ∗ ct ){

pr in tk (” statemask : %d\n” , l 7 s t a t e s ) ;switch ( l 7 s t a t e s ){

case 1 : //L7NOINITi f ( ct−>l 7 . l 7 s t a t e [ 0 ] == 1)

return true ;e l s e

re turn f a l s e ;case 2 : //L7UNKNOWN

i f ( ct−>l 7 . l 7 s t a t e [ 1 ] == 1)return true ;

e l s ere turn f a l s e ;

case 4 : //L7ACCEPTi f ( ct−>l 7 . l 7 s t a t e [ 2 ] == 1)


re turn f a l s e ;case 6 : //L7UNKNOWN OR L7ACCEPT

i f ( ct−>l 7 . l 7 s t a t e [ 1 ] == 1| | ct−>l 7 . l 7 s t a t e [ 2 ] == 1)


re turn f a l s e ;case 8 : //L7DROP

i f ( ct−>l 7 . l 7 s t a t e [ 3 ] == 1)return true ;

e l s ere turn f a l s e ;

150


case 16 : //L7CONTINUEi f ( ct−>l 7 . l 7 s t a t e [ 4 ] == 1)


re turn f a l s e ;case 18 : //L7UNKNOWN OR L7CONTINUE

i f ( ct−>l 7 . l 7 s t a t e [ 1 ] == 1| | ct−>l 7 . l 7 s t a t e [ 4 ] == 1)


re turn f a l s e ;}

r e turn f a l s e ;}

s t a t i c booll 7 s t a t e mt ( const s t r u c t s k bu f f ∗skb ,const s t r u c t xt match param ∗par ){

const s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o= par−>matchinfo ;

enum ip c onn t r a c k i n f o c t i n f o ;s t r u c t nf conn ∗ ct ;bool r e t = f a l s e ;

c t = n f c t g e t ( skb , &c t i n f o ) ;i f ( c t != NULL) {

i f ( l 7 s t a t e c h e c k l 7 s t a t e ( s i n f o−>statemask , c t )== true )

r e t = true ;e l s e

r e t = f a l s e ;} e l s e

r e t = f a l s e ;r e turn r e t ;

}

s t a t i c bool l 7 s t a t e mt check ( const s t r u c t xt mtchk param ∗par ){

i f ( n f c t l 3 p r o t o t r y modu l e g e t ( par−>match−>f ami ly ) < 0) {pr in tk (KERNWARNING ”can ’ t load conntrack support f o r ”

” proto=%u\n” , par−>match−>f ami ly ) ;r e turn f a l s e ;

}r e turn t rue ;

}

151


s t a t i c void l 7 s t a t e mt de s t r oy( const s t r u c t xt mtdtor param ∗par ){

n f c t l 3p ro t o modu l e pu t ( par−>match−>f ami ly ) ;}

s t a t i c s t r u c t xt match l 7 s t a t e mt r e g [ ] r e ad mos t l y = {{

. name = ” l 7 s t a t e ” ,

. f ami ly = NFPROTO IPV4,

. checkentry = l7 s ta t e mt check ,

. match = l7s ta te mt ,

. des t roy = l7 s t a t e mt de s t r oy ,

. matchs ize = s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ,

.me = THIS MODULE,} ,{

. name = ” l 7 s t a t e ” ,


. checkentry = l7 s ta t e mt check ,

. match = l7s ta te mt ,

. des t roy = l7 s t a t e mt de s t r oy ,

. matchs ize = s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ,

.me = THIS MODULE,} ,

} ;

s t a t i c i n t i n i t l 7 s t a t e m t i n i t ( void ){

r e turn x t r e g i s t e r ma t ch e s( l 7 s t a t e mt r eg , ARRAY SIZE( l 7 s t a t e mt r e g ) ) ;

}

s t a t i c void e x i t l 7 s t a t e m t e x i t ( void ){

x t un r eg i s t e r mat che s( l 7 s t a t e mt r eg , ARRAY SIZE( l 7 s t a t e mt r e g ) ) ;

}

modu l e in i t ( l 7 s t a t e m t i n i t ) ;module ex i t ( l 7 s t a t e m t e x i t ) ;

152


12.6. xt l7state.h

#i f n d e f XT L7STATE H#de f i n e XT L7STATE H

#de f i n e L7MAX 5#de f i n e XT L7STATE BIT( l 7 c t i n f o ) (1 << ( l 7 c t i n f o)%L7MAX )

s t r u c t x t l 7 s t a t e i n f o{

unsigned i n t statemask ;} ;

#end i f /∗ XT L7STATE H∗

12.7. copy new modules.sh

#!/bin /bash


pushd / usr / s r c / l inux−dp i p r o j e c t &>/dev/ nu l lecho ” stopping i p t a b l e s . . . ”s e r v i c e i p t a b l e s stopecho ”Compiling modules . . . ”make modulesecho ”Copying new modules . . . ”f o r n in $ ( f i nd net | grep ”\ . ko \ . unsigned$ ”2>/dev/ nu l l ) ; do

m=$ ( echo $n | sed ’ s / . unsigned // ’ )m=$ ( basename $m)/bin /cp −f $n / l i b /modules/${KERNEL VERSION}/ ext ra /$m

doneecho ”Removing from memory r e s t o f modules . . . ”f o r module in ipt REJECT n f d e f r a g i p v 4n f connt rack ipv4 n f connt rack ; do

rmmod $module &>/dev/ nu l lecho ”Reso lv ing modules dependences . . . ”depmod −amodprobe n f d e f r a g i p v 4modprobe n f connt ra ck ipv4modprobe x t l 7 s t a t emodprobe x t ndp i c on t r o ldones e r v i c e i p t a b l e s r e s t a r techo ”Done ! ”

popd &>/dev/ nu l l

153


12.8. libxt l7state.c

/∗ Shared l i b r a r y add−on to i p t a b l e s to add l ay e r 7s t a t e t r a ck ing support . ∗/#inc lude <s t d i o . h>#inc lude <netdb . h>#inc lude <s t r i n g . h>#inc lude <s t d l i b . h>#inc lude <getopt . h>#inc lude <x tab l e s . h>#inc lude <l i nux / n e t f i l t e r /nf conntrack common . h>#inc lude <l i nux / n e t f i l t e r / x t l 7 s t a t e . h>

s t a t i c voidl 7 s t a t e h e l p ( void ){

p r i n t f (” s t a t e match opt ions :\n”” [ ! ] −− l 7 s t a t e [ L7NOINIT |L7UNKNOWN|L7ACCEPT |L7DROP

|L7CONTINUE ] [ , . . . ] \ n”” State ( s ) to match\n ” ) ;}

s t a t i c const s t r u c t opt ion l 7 s t a t e o p t s [ ] = {{ ” l 7 s t a t e ” , 1 , NULL, ’1 ’ } ,{ . name = NULL }

} ;

s t a t i c i n tl 7 s t a t e p a r s e s t a t e ( const char ∗ l 7 s t a t e , s i z e t len ,s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o ){

i f ( strncasecmp ( l 7 s t a t e , ”L7NOINIT” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7NOINIT ) ;

e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7UNKNOWN” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7UNKNOWN) ;

e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7ACCEPT” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7ACCEPT ) ;

e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7DROP” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7DROP ) ;

e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7CONTINUE” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7CONTINUE ) ;

e l s ere turn 0 ;

r e turn 1 ;}

s t a t i c voidl 7 s t a t e p a r s e s t a t e s ( const char ∗arg ,

154


s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o ){

const char ∗comma ;

whi l e ( (comma = s t r ch r ( arg , ’ , ’ ) ) != NULL) {i f (comma == arg | |

! l 7 s t a t e p a r s e s t a t e ( arg , comma−arg , s i n f o ) )x t a b l e s e r r o r (PARAMETERPROBLEM,

”Bad s t a t e \”%s \”” , arg ) ;arg = comma+1;

}i f ( ! ∗ arg )

x t a b l e s e r r o r (PARAMETERPROBLEM, ”\”−− l 7 s t a t e \”r e qu i r e s a l i s t o f ”” s t a t e s with no spaces , e . g . ””L7UNKNOWN,L7DROP\n””L7ACCEPT” ) ;

i f ( s t r l e n ( arg ) == 0 | |! l 7 s t a t e p a r s e s t a t e ( arg , s t r l e n ( arg ) , s i n f o ) )

x t a b l e s e r r o r (PARAMETERPROBLEM,”Bad s t a t e \”%s \”” , arg ) ;

}

s t a t i c i n tl 7 s t a t e p a r s e ( i n t c , char ∗∗argv , i n t inver t , unsigned i n t ∗ f l a g s ,

const void ∗ entry ,s t r u c t xt entry match ∗∗match )

{s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o =( s t r u c t x t l 7 s t a t e i n f o ∗ ) (∗match)−>data ;

switch ( c ) {case ’ 1 ’ :

x t a b l e s c h e c k i n v e r s e ( optarg , &inver t , &optind ,0 , argv ) ;

l 7 s t a t e p a r s e s t a t e s ( optarg , s i n f o ) ;i f ( i n v e r t )

s i n f o−>statemask = ˜ s in f o−>statemask ;∗ f l a g s = 1 ;break ;

d e f au l t :r e turn 0 ;

}

r e turn 1 ;}

155


s t a t i c void l 7 s t a t e f i n a l c h e c k ( unsigned i n t f l a g s ){

i f ( ! f l a g s )x t a b l e s e r r o r (PARAMETERPROBLEM,”You must s p e c i f y \”−− l 7 s t a t e \”” ) ;

}

s t a t i c void l 7 s t a t e p r i n t s t a t e ( unsigned i n t statemask ){

const char ∗ sep = ”” ;

i f ( statemask & XT L7STATE BIT(IP CT L7NOINIT ) ) {p r i n t f (”%sL7NOINIT” , sep ) ;sep = ” , ” ;

}i f ( statemask & XT L7STATE BIT(IP CT L7UNKNOWN)) {

p r i n t f (”%sL7UNKNOWN” , sep ) ;sep = ” , ” ;

}i f ( statemask & XT L7STATE BIT(IP CT L7ACCEPT) ) {

p r i n t f (”%sL7ACCEPT” , sep ) ;sep = ” , ” ;

}i f ( statemask & XT L7STATE BIT(IP CT L7DROP) ) {

p r i n t f (”%sL7DROP” , sep ) ;sep = ” , ” ;

}i f ( statemask & XT L7STATE BIT(IP CT L7CONTINUE) ) {

p r i n t f (”%sL7CONTINUE” , sep ) ;sep = ” , ” ;

}p r i n t f (” ” ) ;

}

s t a t i c voidl 7 s t a t e p r i n t ( const void ∗ ip ,

const s t r u c t xt entry match ∗match ,i n t numeric )

{const s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o =( const void ∗)match−>data ;

p r i n t f (” l 7 s t a t e ” ) ;l 7 s t a t e p r i n t s t a t e ( s i n f o−>statemask ) ;

}

s t a t i c void l 7 s t a t e s a v e ( const void ∗ ip ,const s t r u c t xt entry match ∗match ){

156


const s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o =( const void ∗)match−>data ;

p r i n t f (”−− l 7 s t a t e ” ) ;l 7 s t a t e p r i n t s t a t e ( s i n f o−>statemask ) ;

}

s t a t i c s t r u c t xtables match l7 s ta t e match = {. f ami ly = NFPROTOUNSPEC,. name = ” l 7 s t a t e ” ,. v e r s i on = XTABLES VERSION,. s i z e = XT ALIGN( s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ) ,. u s e r s p a c e s i z e = XT ALIGN( s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ) ,. he lp = l 7 s t a t e h e l p ,. parse = l 7 s t a t e p a r s e ,. f i n a l c h e c k = l 7 s t a t e f i n a l c h e c k ,. p r i n t = l 7 s t a t e p r i n t ,. save = l 7 s t a t e s a v e ,. e x t r a op t s = l 7 s t a t e op t s ,

} ;

void i n i t ( void ){

x t ab l e s r e g i s t e r ma t ch (& l7 s ta t e match ) ;}

157


12.9. main.c

/∗∗ main . c∗ Copyright (C) 2010−2012 G. El ian Gidoni <geg@gnu . org>∗ 2012 Ed Wildgoose < l i s t s@w i l d g oo s e s . com>

∗∗ This f i l e i s part o f nDPI ,∗ an open source deep packet i n sp e c t i on∗ l i b r a r y based on the PACE technology by ipoque GmbH∗∗ This program i s f r e e so f tware ; you can r e d i s t r i b u t e i t and/ or∗ modify i t under the terms o f the GNU General Publ ic L i cense∗ as pub l i shed by the Free Software Foundation ; v e r s i on 2∗ o f the L icense .∗∗ This program i s d i s t r i b u t e d in the hope that i t w i l l be u se fu l ,∗ but WITHOUT ANY WARRANTY; without even the impl i ed warranty o f∗ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the∗ GNU General Publ ic L i cense f o r more d e t a i l s .∗∗ You should have r e c e i v ed a copy o f the GNU General Publ ic L i cense∗ along with t h i s program ; i f not , wr i t e to the Free Software∗ Foundation , Inc . , 51 Frankl in Street , F i f th Floor , Boston ,∗ MA 02110−1301 , USA.∗/

#inc lude <l i nux / ke rne l . h>#inc lude <l i nux / i n i t . h>#inc lude <l i nux /module . h>#inc lude <l i nux / ve r s i on . h>#inc lude <l i nux / n e t f i l t e r / x t ab l e s . h>#inc lude <l i nux / skbu f f . h>#inc lude <l i nux / ip . h>#inc lude <l i nux / tcp . h>#inc lude <l i nux /udp . h>#inc lude <l i nux / i f e t h e r . h>#inc lude <l i nux / rb t r e e . h>#inc lude <l i nux / k r e f . h>#inc lude <l i nux / time . h>

#inc lude <net / n e t f i l t e r / n f connt rack . h>#inc lude <net / n e t f i l t e r / n f connt rack ecache . h>

#inc lude ”ndpi main . h”#inc lude ” xt ndpi . h”

MODULE LICENSE(”GPL” ) ;MODULEAUTHOR(”G. El ian Gidoni <geg@gnu . org >”);

158


MODULE DESCRIPTION(”nDPI wrapper ” ) ;MODULE ALIAS(” i p t ndp i ” ) ;

#de f i n e L7MAX 5#de f i n e L7ACCEPT 2#de f i n e L7DROP 3#de f i n e L7CONTINUE 4

s t a t i c void s e t l 7 s t a t e ( s t r u c t nf conn ∗ ct , unsigned i n t s t a t e ){

unsigned i n t i ;

ct−>l 7 . l im i t op t i on = 0 ;// d e f au l t l im i t opt ion unsetct−>l 7 . ac topt i on = 0 ;// d e f au l t ac t i on opt ion unsetf o r ( i = 0 ; i < L7MAX; i++) {

ct−>l 7 . l 7 s t a t e [ i ] = 0 ;i f ( i == s t a t e )

ct−>l 7 . l 7 s t a t e [ i ] = 1 ;// s e t the s t a t e f o r packet d e c i s i o n

}}

s t a t i c bool c oun t e r l im i t ( s t r u c t nf conn ∗ ct ){

i f ( ct−>l 7 . l 7 s t a t e [ 2 ] == 1| | ct−>l 7 . l 7 s t a t e [ 3 ] == 1| | ct−>l 7 . l 7 s t a t e [ 4 ] == 1){

r e turn t rue ;// the re i s a l ay e r 7 ac t i on ac t i va t ed yetct−>l 7 . l im i t = 0 ;

}

i f ( ct−>l 7 . l im i t == 0 && ct−>l 7 . l im i t op t i on != 0){ct−>l 7 . l im i t++;re turn true ;

} e l s e i f ( ct−>l 7 . l im i t op t i on > ct−>l 7 . l im i t ) {ct−>l 7 . l im i t++;re turn true ;

} e l s e i f ( ct−>l 7 . l im i t op t i on == 0) {r e turn t rue ;

} e l s e {s e t l 7 s t a t e ( ct , L7DROP) ;ct−>l 7 . l im i t = 0 ;re turn f a l s e ;

}r e turn t rue ;

}

159


/∗ f l ow t rack ing ∗/s t r u c t o sdp i f l ow node {

s t r u c t rb node node ;s t r u c t nf conn ∗ ct ;/∗ r e s u l t only , not used f o r f low i d e n t i f i c a t i o n ∗/u32 de t e c t ed p r o t o c o l ;/∗ l a s t po in t e r a s s i gned at run time ∗/s t r u c t ndp i f l ow s t r u c t ∗ ndp i f l ow ;

} ;

/∗ id t r a ck ing ∗/s t r u c t o sdp i i d node {

s t r u c t rb node node ;s t r u c t k r e f r e f c n t ;union n f i n e t add r ip ;/∗ l a s t po in t e r a s s i gned at run time ∗/s t r u c t ndp i i d s t r u c t ∗ ndp i id ;

} ;

s t a t i c u32 s i z e i d s t r u c t = 0 ;s t a t i c u32 s i z e f l o w s t r u c t = 0 ;

s t a t i c s t r u c t rb roo t o s dp i f l ow r o o t = RBROOT;s t a t i c s t r u c t rb roo t o s dp i i d r o o t = RBROOT;

s t a t i c s t r u c t kmem cache ∗ o sdp i f l ow ca che r ead mos t l y ;s t a t i c s t r u c t kmem cache ∗ o sdp i i d c a ch e r ead mos t l y ;

s t a t i c NDPI PROTOCOL BITMASK protoco l s b i tmask ;s t a t i c atomic t p r o t o c o l s c n t [NDPI LAST IMPLEMENTED PROTOCOL ] ;

DEFINE SPINLOCK( f l ow l o c k ) ;DEFINE SPINLOCK( i d l o c k ) ;DEFINE SPINLOCK( i pq l o c k ) ;

/∗ de t e c t i on ∗/s t a t i c s t r u c t ndp i d e t e c t i on modu l e s t ru c t ∗ ndp i s t r u c t = NULL;s t a t i c u32 d e t e c t i o n t i c k r e s o l u t i o n = 1000 ;

/∗ debug func t i on s ∗/

160


s t a t i c void debug pr in t f ( u32 protoco l , void ∗ i d s t r u c t ,n d p i l o g l e v e l t l o g l e v e l ,const char ∗ format , . . . )

{/∗ do nothing ∗/

v a l i s t args ;v a s t a r t ( args , format ) ;switch ( l o g l e v e l ){

case NDPI LOG ERROR:vpr intk ( format , args ) ;break ;

case NDPI LOG TRACE:vpr intk ( format , args ) ;break ;

case NDPI LOG DEBUG:vpr intk ( format , args ) ;break ;

}va end ( args ) ;

}

s t a t i c void ∗malloc wrapper ( unsigned long s i z e ){

r e turn kmalloc ( s i z e , GFP KERNEL) ;}

s t a t i c void f r e e wrapper ( void ∗ f r e e a b l e ){

k f r e e ( f r e e a b l e ) ;}

s t a t i c s t r u c t o sdp i f l ow node ∗ndp i f l ow s ea r ch ( s t r u c t rb roo t ∗ root , s t r u c t nf conn ∗ ct ){

s t r u c t o sdp i f l ow node ∗data ;s t r u c t rb node ∗node = root−>rb node ;

whi l e ( node ) {data = rb ent ry ( node , s t r u c t osdp i f l ow node ,node ) ;

i f ( c t < data−>ct )node = node−>r b l e f t ;

e l s e i f ( c t > data−>ct )

161


node = node−>r b r i g h t ;e l s e

re turn data ;}

r e turn NULL;}

s t a t i c i n tn dp i f l ow i n s e r t ( s t r u c t rb roo t ∗ root ,s t r u c t o sdp i f l ow node ∗data ){

s t r u c t o sdp i f l ow node ∗ t h i s ;s t r u c t rb node ∗∗new =&(root−>rb node ) , ∗parent = NULL;

whi l e (∗new) {t h i s = rb ent ry (∗new ,s t r u c t osdp i f l ow node , node ) ;

parent = ∗new ;i f ( data−>ct < th i s−>ct )

new = &((∗new)−> r b l e f t ) ;e l s e i f ( data−>ct > th i s−>ct )

new = &((∗new)−> r b r i g h t ) ;e l s e

re turn 0 ;}rb l i nk node (&data−>node , parent , new ) ;r b i n s e r t c o l o r (&data−>node , root ) ;

r e turn 1 ;}

s t a t i c s t r u c t o sdp i i d node ∗ndp i i d s e a r ch ( s t r u c t rb roo t ∗ root , union n f i n e t add r ∗ ip ){

i n t r e s ;s t r u c t o sdp i i d node ∗data ;s t r u c t rb node ∗node = root−>rb node ;

whi l e ( node ) {data = rb ent ry ( node ,s t r u c t osdp i id node , node ) ;r e s = memcmp( ip , &data−>ip ,s i z e o f ( union n f i n e t add r ) ) ;

162


i f ( r e s < 0)node = node−>r b l e f t ;

e l s e i f ( r e s > 0)node = node−>r b r i g h t ;

e l s ere turn data ;

}

r e turn NULL;}

s t a t i c i n tn d p i i d i n s e r t ( s t r u c t rb roo t ∗ root , s t r u c t o sdp i i d node ∗data ){

i n t r e s ;s t r u c t o sdp i i d node ∗ t h i s ;s t r u c t rb node ∗∗new = &(root−>rb node ), ∗parent = NULL;

whi l e (∗new) {t h i s = rb ent ry (∗new ,s t r u c t osdp i id node , node ) ;r e s = memcmp(&data−>ip , &th i s−>ip ,s i z e o f ( union n f i n e t add r ) ) ;

parent = ∗new ;i f ( r e s < 0)

new = &((∗new)−> r b l e f t ) ;e l s e i f ( r e s > 0)

new = &((∗new)−> r b r i g h t ) ;e l s e

re turn 0 ;}rb l i nk node (&data−>node , parent , new ) ;r b i n s e r t c o l o r (&data−>node , root ) ;

r e turn 1 ;}

s t a t i c voidn d p i i d r e l e a s e ( s t r u c t k r e f ∗ k r e f ){

163


s t r u c t o sdp i i d node ∗ id ;

id = con t a i n e r o f ( kre f , s t r u c t osdp i id node ,r e f c n t ) ;r b e r a s e (&id−>node , &o s dp i i d r o o t ) ;kmem cache free ( o sdp i i d cache , id ) ;

}

s t a t i c s t r u c t o sdp i f l ow node ∗ndp i a l l o c f l ow ( s t r u c t nf conn ∗ ct ){

s t r u c t o sdp i f l ow node ∗ f l ow ;

sp i n l o ck bh (& f l ow l o c k ) ;f low = ndp i f l ow s ea r ch (&osdp i f l ow roo t , c t ) ;i f ( f low != NULL){

sp in un lock bh (& f l ow l o c k ) ;r e turn f low ;

}f l ow = kmem cache zal loc ( o sdp i f l ow cache ,GFP ATOMIC) ;i f ( f low == NULL){

p r e r r (” xt ndpi : couldn ’ t a l l o c a t e new f low .\n ” ) ;sp in un lock bh (& f l ow l o c k ) ;r e turn NULL;

}f low−>ct = ct ;f low−>ndp i f l ow = ( s t r u c t ndp i f l ow s t r u c t ∗)

( ( char∗)& flow−>ndp i f l ow+s i z e o f ( f low−>ndp i f l ow ) ) ;n dp i f l ow i n s e r t (&o sdp i f l ow roo t , f low ) ;sp in un lock bh (& f l ow l o c k ) ;

r e turn f low ;}

s t a t i c voidndp i f r e e f l ow ( s t r u c t nf conn ∗ ct ){

s t r u c t o sdp i f l ow node ∗ f l ow ;

sp i n l o ck bh (& f l ow l o c k ) ;f low = ndp i f l ow s ea r ch (&osdp i f l ow roo t , c t ) ;i f ( f low != NULL){

r b e r a s e (&flow−>node , &o sdp i f l ow r o o t ) ;kmem cache free ( o sdp i f l ow cache , f low ) ;

}sp in un lock bh (& f l ow l o c k ) ;

164


}

s t a t i c s t r u c t o sdp i i d node ∗ndp i a l l o c i d ( union n f i n e t add r ∗ ip ){


s p i n l o ck bh (& i d l o c k ) ;id = ndp i i d s e a r ch (&o sdp i i d r o o t , ip ) ;i f ( id != NULL){

k r e f g e t (&id−>r e f c n t ) ;} e l s e {

id = kmem cache zal loc ( o sdp i i d cache ,GFP ATOMIC) ;

i f ( id == NULL){p r e r r (” xt ndpi : couldn ’ t a l l o c a t enew id .\n ” ) ;sp in un lock bh (& i d l o c k ) ;r e turn NULL;

}memcpy(&id−>ip , ip , s i z e o f ( union n f i n e t add r ) ) ;id−>ndp i id = ( s t r u c t ndp i i d s t r u c t ∗)

( ( char∗)&id−>ndp i id+s i z e o f ( id−>ndp i id ) ) ;k r e f i n i t (&id−>r e f c n t ) ;n d p i i d i n s e r t (&o sdp i i d r o o t , id ) ;

}sp in un lock bh (& i d l o c k ) ;

r e turn id ;}

s t a t i c voidn dp i f r e e i d ( union n f i n e t add r ∗ ip ){


s p i n l o ck bh (& i d l o c k ) ;id = ndp i i d s e a r ch (&o sdp i i d r o o t , ip ) ;i f ( id != NULL)

k r e f pu t (&id−>r e f cn t , n d p i i d r e l e a s e ) ;sp in un lock bh (& i d l o c k ) ;

}

s t a t i c voidndp i enab l e p r o t o c o l s ( const s t r u c t x t ndp i mt in fo ∗ i n f o )

165


{i n t i ;

f o r ( i = 1 ; i <= NDPI LAST IMPLEMENTED PROTOCOL; i++){i f (NDPI COMPARE PROTOCOL TO BITMASK( in fo−>f l a g s , i ) != 0){

sp i n l o ck bh (& ipq l o c k ) ;a tomic inc (&p r o t o c o l s c n t [ i −1 ] ) ;NDPI ADD PROTOCOL TO BITMASK( protoco l s b i tmask , i ) ;ndp i s e t p r o t o c o l d e t e c t i o n b i tma sk2

( ndp i s t ruc t ,& pro toco l s b i tmask ) ;sp in un lock bh (& ipq l o c k ) ;

}}

}

s t a t i c voidndp i d i s a b l e p r o t o c o l s ( const s t r u c t x t ndp i mt in fo ∗ i n f o ){

i n t i ;

f o r ( i = 1 ; i <= NDPI LAST IMPLEMENTED PROTOCOL; i++){i f (NDPI COMPARE PROTOCOL TO BITMASK( in fo−>f l a g s , i ) != 0){

sp i n l o ck bh (& ipq l o c k ) ;i f ( a tomi c dec and te s t(&p r o t o c o l s c n t [ i −1])){

NDPI DEL PROTOCOL FROM BITMASK( protoco l s b i tmask , i ) ;ndp i s e t p r o t o c o l d e t e c t i o n b i tma sk2

( ndp i s t ruc t ,&pro toco l s b i tmask ) ;

}sp in un lock bh (& ipq l o c k ) ;

}}

}

#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )

166


s t a t i c i n tndp i connt rack event ( s t r u c t n o t i f i e r b l o c k ∗ th i s , unsigned long ev ,

void ∗ data ){

s t r u c t nf conn ∗ ct = ( s t r u c t nf conn ∗) data ;union n f i n e t add r ∗ src , ∗dst ;

i f ( c t == &nf connt rack unt racked )re turn NOTIFY DONE;

i f ( ev & IPCT DESTROY){s r c = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . s r c . u3 ;dst = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . dst . u3 ;

n d p i f r e e i d ( s r c ) ;n d p i f r e e i d ( dst ) ;n dp i f r e e f l ow ( ct ) ;

}

r e turn NOTIFY DONE;}

s t a t i c s t r u c t n o t i f i e r b l o c ko s d p i n o t i f i e r = {

. n o t i f i e r c a l l = ndpi conntrack event ,} ;

#e l s es t a t i c i n tndp i connt rack event ( unsigned i n t events , s t r u c t n f c t e v e n t ∗ item ){

s t r u c t nf conn ∗ ct = item−>ct ;union n f i n e t add r ∗ src , ∗dst ;

i f ( c t == &nf connt rack unt racked )re turn 0 ;

i f ( events & (1 << IPCT DESTROY)){s r c = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . s r c . u3 ;dst = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . dst . u3 ;

n d p i f r e e i d ( s r c ) ;n d p i f r e e i d ( dst ) ;n dp i f r e e f l ow ( ct ) ;

}

r e turn 0 ;}

167


s t a t i c s t r u c t n f c t e v e n t n o t i f i e ro s d p i n o t i f i e r = {

. f cn = ndpi conntrack event ,} ;

#end i f

s t a t i c u32ndp i p ro c e s s packe t ( s t r u c t nf conn ∗ ct , const u i n t 64 t time ,

const s t r u c t iphdr ∗ iph , u i n t 16 t i p s i z e ){

u32 proto = NDPIPROTOCOLUNKNOWN;union n f i n e t add r ∗ i p s r c , ∗ i pd s t ;s t r u c t o sdp i i d node ∗ src , ∗dst ;s t r u c t o sdp i f l ow node ∗ f l ow ;

sp i n l o ck bh (& f l ow l o c k ) ;f low = ndp i f l ow s ea r ch (&osdp i f l ow roo t , c t ) ;sp in un lock bh (& f l ow l o c k ) ;i f ( f low == NULL){

f l ow = ndp i a l l o c f l ow ( ct ) ;i f ( f low == NULL)

return proto ;}

i p s r c = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . s r c . u3 ;

s p i n l o ck bh (& i d l o c k ) ;s r c = ndp i i d s e a r ch (&o sdp i i d r o o t , i p s r c ) ;sp in un lock bh (& i d l o c k ) ;i f ( s r c == NULL) {

s r c = ndp i a l l o c i d ( i p s r c ) ;i f ( s r c == NULL)

return proto ;}

i pd s t = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . dst . u3 ;

s p i n l o ck bh (& i d l o c k ) ;dst = ndp i i d s e a r ch (&o sdp i i d r o o t , i pd s t ) ;sp in un lock bh (& i d l o c k ) ;i f ( dst == NULL) {

dst = ndp i a l l o c i d ( i pd s t ) ;i f ( dst == NULL)

return proto ;}

168


/∗ here the ac tua l d e t e c t i on i s performed ∗/sp i n l o ck bh (& ipq l o c k ) ;proto = ndp i d e t e c t i o n p r o c e s s pa ck e t ( ndp i s t ruc t ,f low−>ndpi f low , ( u i n t 8 t ∗) iph , i p s i z e ,time , src−>ndpi id , dst−>ndp i id ) ;f low−>de t e c t ed p r o t o c o l = proto ;sp in un lock bh (& ipq l o c k ) ;

r e turn proto ;}

#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )s t a t i c boolndpi mt ( const s t r u c t s k bu f f ∗skb ,

const s t r u c t n e t d ev i c e ∗ in ,const s t r u c t n e t d ev i c e ∗out ,const s t r u c t xt match ∗match ,const void ∗matchinfo ,i n t o f f s e t ,unsigned i n t p ro t o f f ,bool ∗hotdrop )

#e l i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 35 )s t a t i c boolndpi mt ( const s t r u c t s k bu f f ∗skb , const s t r u c t xt match param ∗par )#e l s es t a t i c boolndpi mt ( const s t r u c t s k bu f f ∗skb , s t r u c t xt act ion param ∗par )#end i f{

u32 proto ;u64 time ;

#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )const s t r u c t x t ndp i mt in fo ∗ i n f o = matchinfo ;

#e l s econst s t r u c t x t ndp i mt in fo ∗ i n f o = par−>matchinfo ;

#end i f

enum ip c onn t r a c k i n f o c t i n f o ;s t r u c t nf conn ∗ ct ;s t r u c t t imeval tv ;s t r u c t s k bu f f ∗ l i n e a r i z e d s k b = NULL;const s t r u c t s k bu f f ∗ skb use = NULL;

i f ( s k b i s n o n l i n e a r ( skb ) ){l i n e a r i z e d s k b = skb copy ( skb , GFP ATOMIC) ;

169


i f ( l i n e a r i z e d s k b == NULL) {p r i n f o (” xt ndpi : l i n e a r i z a t i o n f a i l e d .\n ” ) ;r e turn f a l s e ;

}skb use = l i n e a r i z e d s k b ;

} e l s e {skb use = skb ;

}

ct = n f c t g e t ( skb use , &c t i n f o ) ;i f ( c t == NULL){

i f ( l i n e a r i z e d s k b != NULL){k f r e e s kb ( l i n e a r i z e d s k b ) ;

}

r e turn f a l s e ;#i f LINUX VERSION CODE < KERNEL VERSION(3 , 0 , 0 )

} e l s e i f ( n f c t i s u n t r a c k e d ( skb ) ){#e l s e

} e l s e i f ( n f c t i s u n t r a c k e d ( ct ) ){#end i f

p r i n f o (” xt ndpi : i gno r i ng untracked s k bu f f .\n ” ) ;r e turn f a l s e ;

}do gett imeofday(&tv ) ;

time = ( ( u i n t 64 t ) tv . t v s e c ) ∗ d e t e c t i o n t i c k r e s o l u t i o n +tv . tv u s e c / (1000000 / d e t e c t i o n t i c k r e s o l u t i o n ) ;

// f i r s t time we load ndpi module , we change l ay e r 7 s t a t e and e x i ti f ( ct−>l 7 . l 7 s t a t e [ 0 ] == 1){

ct−>l 7 . l 7 s t a t e [ 0 ] = 0 ; // L7NOINIT f a l s ect−>l 7 . l 7 s t a t e [ 1 ] = 1 ; // L7UNKNOWN truere turn true ;

} e l s e {

i f ( c oun t e r l im i t ( c t ) == true ) {

/∗ proce s s the packet ∗/proto = ndp i p roc e s s packe t ( ct , time ,ip hdr ( skb use ) , skb use−>l en ) ;

i f ( l i n e a r i z e d s k b != NULL){k f r e e s kb ( l i n e a r i z e d s k b ) ;

}

i f (NDPI COMPARE PROTOCOL TO BITMASK( in fo−>f l a g s , proto ) != 0){ // match

170


// a po l i c y ac t i on has been r equ i r ed// f o r a l ay e r 7 packetswitch ( ct−>l 7 . ac topt i on ) {

case 1 : // L7ACCEPTi f ( ct−>l 7 . a c t i o n f l a g != 0)

s e t l 7 s t a t e ( ct , L7ACCEPT) ;// s e t ac t i on

break ;case 2 : // L7DROP

i f ( ct−>l 7 . a c t i o n f l a g != 0)s e t l 7 s t a t e ( ct , L7DROP) ;// s e t ac t i on

break ;case 3 : // L7CONTINUE

i f ( ct−>l 7 . a c t i o n f l a g != 0)s e t l 7 s t a t e ( ct , L7CONTINUE) ;// s e t ac t i on

break ;d e f au l t :// no ac t i on r equ i r ed yet// or ac t i on i s s e t

break ;}

r e turn t rue ;} e l s e// no match , keep L7 UNKNOWN l 7 s t a t e

re turn true ;} e l s e

re turn f a l s e ; // window lenght exp i red}

r e turn f a l s e ;}

#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )s t a t i c boolndpi mt check ( const char ∗ tablename ,

const void ∗ ip ,const s t r u c t xt match ∗match ,void ∗matchinfo ,unsigned i n t hook mask )

{

const s t r u c t x t ndp i mt in fo ∗ i n f o = matchinfo ;

171


i f (NDPI BITMASK IS ZERO( in fo−>f l a g s ) ){p r i n f o (”None s e l e c t e d p ro to co l .\n ” ) ;r e turn f a l s e ;

}

ndp i enab l e p r o t o c o l s ( i n f o ) ;

r e turn n f c t l 3 p r o t o t r y modu l e g e t (match−>f ami ly ) == 0 ;}

#e l i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 35 )s t a t i c boolndpi mt check ( const s t r u c t xt mtchk param ∗par ){

const s t r u c t x t ndp i mt in fo ∗ i n f o = par−>matchinfo ;

i f (NDPI BITMASK IS ZERO( in fo−>f l a g s ) ){p r i n f o (”None s e l e c t e d p ro to co l .\n ” ) ;r e turn f a l s e ;

}


r e turn n f c t l 3 p r o t o t r y modu l e g e t ( par−>f ami ly ) == 0 ;}#e l s es t a t i c i n tndpi mt check ( const s t r u c t xt mtchk param ∗par ){


i f (NDPI BITMASK IS ZERO( in fo−>f l a g s ) ){p r i n f o (”None s e l e c t e d p ro to co l .\n ” ) ;r e turn −EINVAL;

}


r e turn n f c t l 3 p r o t o t r y modu l e g e t ( par−>f ami ly ) ;}#end i f

#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )

172


s t a t i c voidndpi mt dest roy ( const s t r u c t xt match ∗match , void ∗matchinfo ){

const s t r u c t x t ndp i mt in fo ∗ i n f o = matchinfo ;

n dp i d i s a b l e p r o t o c o l s ( i n f o ) ;n f c t l 3p ro t o modu l e pu t (match−>f ami ly ) ;

}

#e l s es t a t i c voidndpi mt dest roy ( const s t r u c t xt mtdtor param ∗par ){


n dp i d i s a b l e p r o t o c o l s ( i n f o ) ;n f c t l 3p ro t o modu l e pu t ( par−>f ami ly ) ;

}

#end i f

s t a t i c void ndpi c l eanup ( void ){

s t r u c t rb node ∗ next ;s t r u c t o sdp i i d node ∗ id ;s t r u c t o sdp i f l ow node ∗ f l ow ;

ndp i ex i t d e t e c t i on modu l e ( ndp i s t ruc t , f r e e wrapper ) ;

#i f LINUX VERSION CODE < KERNEL VERSION(3 , 2 , 0 )n f c o n n t r a c k u n r e g i s t e r n o t i f i e r (& o s d p i n o t i f i e r ) ;

#e l s en f c o n n t r a c k u n r e g i s t e r n o t i f i e r (& i n i t n e t ,& o s d p i n o t i f i e r ) ;

#end i f

/∗ f r e e a l l o b j e c t s be f o r e de s t roy ing caches ∗/next = r b f i r s t (& o sdp i f l ow r o o t ) ;whi l e ( next ){

f l ow = rb ent ry ( next , s t r u c t osdp i f l ow node , node ) ;next = rb next (&flow−>node ) ;r b e r a s e (&flow−>node , &o sdp i f l ow r o o t ) ;kmem cache free ( o sdp i f l ow cache , f low ) ;

}kmem cache destroy ( o sdp i f l ow ca che ) ;

next = r b f i r s t (& o s dp i i d r o o t ) ;whi l e ( next ){

173


id = rb ent ry ( next , s t r u c t osdp i id node , node ) ;next = rb next (&id−>node ) ;r b e r a s e (&id−>node , &o s dp i i d r o o t ) ;kmem cache free ( o sdp i i d cache , id ) ;

}kmem cache destroy ( o sdp i i d c a ch e ) ;

}

s t a t i c s t r u c t xt matchndpi mt reg r ead mos t l y = {

. name = ”ndpi ” ,

. r e v i s i o n = 0 ,#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )

. f ami ly = AF INET ,#e l s e

. f ami ly = NFPROTO IPV4,#end i f

. match = ndpi mt ,

. checkentry = ndpi mt check ,

. des t roy = ndpi mt destroy ,

. matchs ize = s i z e o f ( s t r u c t x t ndp i mt in fo ) ,

.me = THIS MODULE,} ;

s t a t i c i n t i n i t ndp i mt in i t ( void ){

i n t ret , i ;

p r i n f o (” xt ndpi 0 . 1 (nDPI wrapper module ) . \ n ” ) ;/∗ i n i t g l oba l d e t e c t i on s t r u c tu r e ∗/ndp i s t r u c t = ndp i i n i t d e t e c t i on modu l e (d e t e c t i o n t i c k r e s o l u t i o n , malloc wrapper , f r ee wrapper ,( void ∗) debug pr in t f ) ;

i f ( ndp i s t r u c t == NULL) {p r e r r (” xt ndpi : g l oba l s t r u c tu r ei n i t i a l i z a t i o n f a i l e d .\n ” ) ;r e t = −ENOMEM;goto e r r ou t ;

}

f o r ( i = 0 ; i < NDPI LAST IMPLEMENTED PROTOCOL; i++){atomic s e t (&p r o t o c o l s c n t [ i ] , 0 ) ;

}

/∗ d i s ab l e a l l p r o t o c o l s ∗/NDPI BITMASK RESET( pro toco l s b i tmask ) ;

174


ndp i s e t p r o t o c o l d e t e c t i o n b i tma sk2 ( ndp i s t ruc t ,&pro toco l s b i tmask ) ;

/∗ a l l o c a t e memory f o r id and f low t rack ing ∗/s i z e i d s t r u c t = ndp i d e t e c t i o n g e t s i z e o f n d p i i d s t r u c t ( ) ;s i z e f l o w s t r u c t = ndp i d e t e c t i o n g e t s i z e o f n d p i f l ow s t r u c t ( ) ;

o sdp i f l ow ca che = kmem cache create (” x t ndp i f l ow s ” ,s i z e o f ( s t r u c t o sdp i f l ow node ) +s i z e f l ow s t r u c t ,0 , 0 , NULL) ;

i f ( ! o sdp i f l ow ca che ){p r e r r (” xt ndpi : e r r o r c r e a t i n g f low cache .\n ” ) ;r e t = −ENOMEM;goto e r r i p q ;

}

o sdp i i d c a ch e = kmem cache create (” x t ndp i i d s ” ,s i z e o f ( s t r u c t o sdp i i d node ) +s i z e i d s t r u c t ,0 , 0 , NULL) ;

i f ( ! o s dp i i d c a ch e ){p r e r r (” xt ndpi : e r r o r c r e a t i n g i d s cache .\n ” ) ;r e t = −ENOMEM;goto e r r f l ow ;

}

#i f LINUX VERSION CODE < KERNEL VERSION(3 , 2 , 0 )r e t = n f c o n n t r a c k r e g i s t e r n o t i f i e r (& o s d p i n o t i f i e r ) ;

#e l s er e t = n f c o n n t r a c k r e g i s t e r n o t i f i e r (& i n i t n e t ,& o s d p i n o t i f i e r ) ;

#end i fi f ( r e t < 0){

p r e r r (” xt ndpi : e r r o r r e g i s t e r i n g n o t i f i e r .\n ” ) ;goto e r r i d ;

}

r e t = x t r e g i s t e r ma t ch (&ndpi mt reg ) ;i f ( r e t != 0){

p r e r r (” xt ndpi : e r r o r r e g i s t e r i n g ndpi match .\n ” ) ;ndpi c l eanup ( ) ;

}

r e turn r e t ;

e r r i d :kmem cache destroy ( o sdp i i d c a ch e ) ;

e r r f l ow :kmem cache destroy ( o sdp i f l ow ca che ) ;

175


e r r i p q :ndp i ex i t d e t e c t i on modu l e ( ndp i s t ruc t , f r e e wrapper ) ;

e r r ou t :r e turn r e t ;

}

s t a t i c void e x i t ndp i mt ex i t ( void ){

p r i n f o (” xt ndpi 1 . 2 unload .\n ” ) ;

x t unreg i s t e r match (&ndpi mt reg ) ;

ndpi c l eanup ( ) ;}

modu l e in i t ( ndp i mt in i t ) ;module ex i t ( ndp i mt ex i t ) ;

176


12.10. xt ndpicontrol.c

#inc lude <l i nux /module . h>#inc lude <l i nux / skbu f f . h>#inc lude <net / n e t f i l t e r / n f connt rack . h>#inc lude <l i nux / n e t f i l t e r / x t ab l e s . h>#inc lude <l i nux / n e t f i l t e r / x t ndp i c on t r o l . h>

MODULE LICENSE(”GPL” ) ;MODULEAUTHOR(” Se rg i o Mi l lan Rodriguez<sermi lrod@gmai l . com>”);

MODULE DESCRIPTION(” ip [ 6 ] t a b l e s a u x i l i a r ymodule f o r redBorder ndpi ” ) ;MODULE ALIAS(” i p t ndp i c on t r o l ” ) ;MODULE ALIAS(” i p 6 t ndp i c on t r o l ” ) ;

s t a t i c boolndpicontro l mt ( const s t r u c t s k bu f f ∗skb ,const s t r u c t xt match param ∗par ){

const s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o = par−>matchinfo ;enum ip c onn t r a c k i n f o c t i n f o ;s t r u c t nf conn ∗ ct ;bool ret1 , r e t 2 ;

r e t 1 = f a l s e ;r e t 2 = f a l s e ;c t = n f c t g e t ( skb , &c t i n f o ) ;i f ( c t != NULL) {

i f ( in fo−>ac t i on == 1) {// L7ACCEPTct−>l 7 . ac topt i on = in fo−>ac t i on ;ct−>l 7 . a c t i o n f l a g = 1 ;r e t1 = true ;

}e l s e i f ( in fo−>ac t i on == 2) {// L7DROP

ct−>l 7 . ac topt i on = in fo−>ac t i on ;ct−>l 7 . a c t i o n f l a g = 1 ;r e t1 = true ;

}e l s e i f ( in fo−>ac t i on == 3) {// L7CONTINUE

ct−>l 7 . ac topt i on = in fo−>ac t i on ;ct−>l 7 . a c t i o n f l a g = 1 ;r e t1 = true ;

}

177


i f ( in fo−>l im i t == 3) {ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;

}e l s e i f ( in fo−>l im i t == 4) {

ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;













}} e l s e

r e t 1 = f a l s e ;

r e turn ( r e t1 ∗ r e t 2 ) ;}

178


s t a t i c bool ndp icont ro l mt check ( const s t r u c t xt mtchk param ∗par ){

i f ( n f c t l 3 p r o t o t r y modu l e g e t ( par−>match−>f ami ly ) < 0) {pr in tk (KERNWARNING ”can ’ t load conntrack support f o r ”

” proto=%u\n” , par−>match−>f ami ly ) ;r e turn f a l s e ;

}r e turn t rue ;

}

s t a t i c void ndp i cont ro l mt de s t roy ( const s t r u c t xt mtdtor param ∗par ){

n f c t l 3p ro t o modu l e pu t ( par−>match−>f ami ly ) ;}

s t a t i c s t r u c t xt match ndp i cont ro l mt r eg [ ] r e ad mos t l y = {{

. name = ” ndp i cont ro l ” ,


. checkentry = ndpicontro l mt check ,

. match = ndpicontro l mt ,

. des t roy = ndp icont ro l mt des t roy ,

. matchs ize = s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ,

.me = THIS MODULE,} ,{

. name = ” ndp i cont ro l ” ,


. checkentry = ndpicontro l mt check ,

. match = ndpicontro l mt ,

. des t roy = ndp icont ro l mt des t roy ,

. matchs ize = s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ,

.me = THIS MODULE,} ,

} ;s t a t i c i n t i n i t ndp i c on t r o l mt i n i t ( void ){

r e turn x t r e g i s t e r ma t ch e s ( ndp icont ro l mt reg ,ARRAY SIZE( ndp i cont ro l mt r eg ) ) ;

}s t a t i c void e x i t ndp i c on t r o l mt ex i t ( void ){

x t un r eg i s t e r mat che s ( ndp icont ro l mt reg ,ARRAY SIZE( ndp i cont ro l mt r eg ) ) ;

}modu l e in i t ( ndp i c on t r o l mt i n i t ) ;module ex i t ( ndp i c on t r o l mt ex i t ) ;

179


12.11. libxt ndpicontrol.c

/∗ aux i l i a r y he lpe r f o r redBorder ndpi ∗/#inc lude <s t d i o . h>#inc lude <netdb . h>#inc lude <s t r i n g . h>#inc lude <s t d l i b . h>#inc lude <getopt . h>#inc lude <x tab l e s . h>#inc lude <l i nux / n e t f i l t e r / x t ndp i c on t r o l . h>

s t a t i c voidndp i c on t r o l h e l p ( void ){

p r i n t f (” This module a l l ows you to extend ndpif u c t i o n s by s e t t i n g the l ay e r 7”

” s t a t e to packet p r o c c e s s i ng and e s t a b l i s h i n gthe acceptance window c r e d i t .\n”” ndp i cont ro l match opt ions :\n”” [ ! ] −−ac t i on [L7ACCEPT |L7DROP |L7CONTINUE\n”” [ ! ] −− l im i t [ 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 0 ] \ n ” ) ;

}

s t a t i c const s t r u c t opt ion ndp i c on t r o l op t s [ ] = {{ . name = ” ac t i on ” , . has arg = true , . va l = ’1 ’ } ,{ . name = ” l im i t ” , . has arg = true , . va l = ’2 ’ }

} ;

s t a t i c i n tndp i c on t r o l p a r s e a c t i o n ( const char ∗ option ,s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o ){

i f ( strcmp ( option , ”L7ACCEPT”) == 0)in fo−>ac t i on = 1 ;

e l s e i f ( strcmp ( option , ”L7DROP”) == 0)in fo−>ac t i on = 2 ;

e l s e i f ( strcmp ( option , ”L7CONTINUE”) == 0)in fo−>ac t i on = 3 ;

e l s ere turn 0 ;

r e turn 1 ;}

180


s t a t i c i n tn dp i c o n t r o l p a r s e l im i t ( const char ∗ option ,s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o ){

i f ( strcmp ( option , ”3”) == 0)in fo−>l im i t = 3 ;

e l s e i f ( strcmp ( option , ”4”) == 0)in fo−>l im i t = 4 ;







e l s ere turn 0 ;

r e turn 1 ;}

s t a t i c i n tndp i c on t r o l pa r s e ( i n t c , char ∗∗argv , i n t inver t ,

unsigned i n t ∗ f l a g s ,const void ∗ entry ,s t r u c t xt entry match ∗∗match )

{s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o =( void ∗ ) (∗match)−>data ;

switch ( c ) {case ’ 1 ’ :

∗ f l a g s = 1 ;i f ( ndp i c on t r o l p a r s e a c t i o n ( optarg , i n f o ) == 0)

x t a b l e s e r r o r (PARAMETERPROBLEM,”Bad opt ion provided . ””You must s p e c i f y−−ac t i on [L7ACCEPT |L7DROP |L7CONTINUE]\n ” ) ;

break ;case ’ 2 ’ :

∗ f l a g s = 1 ;i f ( n dp i c o n t r o l p a r s e l im i t ( optarg , i n f o ) == 0)

181


x t a b l e s e r r o r (PARAMETERPROBLEM,”Bad opt ion provided . ””You must s p e c i f y−− l im i t [ 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 0 ] \ n ” ) ;

break ;d e f au l t :

r e turn 0 ;}

r e turn 1 ;}

s t a t i c void ndp i c o n t r o l f i n a l c h e c k ( unsigned i n t f l a g s ){

i f ( ! f l a g s )x t a b l e s e r r o r (PARAMETERPROBLEM,”You must s p e c i f y :−−ac t i on [L7ACCEPT |L7DROP |L7CONTINUE]−− l im i t [ 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 0 ] \ n ” ) ;

}

s t a t i c voidndp i c on t r o l p r i n t ( const void ∗ ip ,

const s t r u c t xt entry match ∗match ,i n t numeric )

{const s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o =( const void ∗)match−>data ;

i f ( in fo−>ac t i on == 1)p r i n t f (” ndp i cont ro l :−−ac t i on L7ACCEPT−− l im i t %d” , in fo−>l im i t ) ;

e l s e i f ( in fo−>ac t i on == 2)p r i n t f (” ndp i cont ro l :−−ac t i on L7DROP−− l im i t %d” , in fo−>l im i t ) ;

e l s e i f ( in fo−>ac t i on == 3)p r i n t f (” ndp i cont ro l :−−ac t i on L7CONTINUE−− l im i t %d” , in fo−>l im i t ) ;

e l s ex t a b l e s e r r o r (PARAMETERPROBLEM,”An e r r o r occurred when par s ing arguments\n ” ) ;

}

182


s t a t i c void ndp i c on t r o l s av e ( const void ∗ ip ,const s t r u c t xt entry match ∗match ){

const s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o =( const void ∗)match−>data ;

}

s t a t i c s t r u c t xtables match ndpicontro l match = {. f ami ly = NFPROTOUNSPEC,. name = ” ndp i cont ro l ” ,. v e r s i on = XTABLES VERSION,. s i z e =XT ALIGN( s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ) ,. u s e r s p a c e s i z e =XT ALIGN( s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ) ,. he lp = ndp i cont ro l he lp ,. parse = ndp i cont ro l pa r s e ,. f i n a l c h e c k = ndp i c on t r o l f i n a l c h e c k ,. p r i n t = ndp i c on t r o l p r i n t ,. save = ndp i cont ro l s ave ,. e x t r a op t s = ndp i cont ro l op t s ,

} ;

void i n i t ( void ){

x t ab l e s r e g i s t e r ma t ch (&ndpicontro l match ) ;}

183


12.12. copy new libxt.sh

#!/bin /bash

echo ”Compiling l i b r a r i e s . . . ”makeecho ”Copying the shared l i b r a r y l i b x t l 7 s t a t e . so . . . ”cp −R ext en s i on s / l i b x t l 7 s t a t e . so / l i b / xtab le s −1.4.7/echo ”Copying the shared l i b r a r y l i b x t ndp i c o n t r o l . so . . . ”cp −R ext en s i on s / l i b x t ndp i c o n t r o l . so / l i b / xtab le s −1.4.7/depmodecho ”Checking module x t l 7 s t a t e . . . ”modprobe x t l 7 s t a t eecho ”Checking module x t ndp i c on t r o l . . . ”modprobe x t ndp i c on t r o lecho ”Done ! ”

12.13. insert iptables files.sh

#!/bin /bash

cp −R l i b x t ndp i c o n t r o l . c / usr / s r c / i p t ab l e s −1.4.7/ ex t en s i on s /cp −R l i b x t l 7 s t a t e . c / usr / s r c / i p t ab l e s −1.4.7/ ex t en s i on s /

cp −R x t l 7 s t a t e . h / usr / s r c / i p t ab l e s −1.4.7/ in c lude / l i nux / n e t f i l t e r /cp −R xt ndp i c on t r o l . h / usr / s r c / i p t ab l e s −1.4.7/ in c lude / l i nux / n e t f i l t e rcp −R nf conntrack common . h / usr / s r c / i p t ab l e s −1.4.7/in c lude / l i nux / n e t f i l t e r

cp −R copy new l ibxt . sh / usr / s r c / i p t ab l e s −1.4.7/

184


12.14. insert kernel files.sh

#!/bin /bash


cp −R xt ndp i c on t r o l . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R x t l 7 s t a t e . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R nf conn t r a ck p ro t o t cp . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R nf connt rack proto udp . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R n f c onn t r a c k p r o t o udp l i t e . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /

cp −R nf connt rack . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude/net / n e t f i l t e r /cp −R nf conntrack common . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude / l i nux / n e t f i l t e r /cp −R x t l 7 s t a t e . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude/ l i nux / n e t f i l t e r /cp −R xt ndp i c on t r o l . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude / l i nux / n e t f i l t e r /

cp −R Kconfig / usr / s r c / l inux−${KERNEL VERSION}/ net / n e t f i l t e r /cp −R Makef i l e / usr / s r c / l inux−${KERNEL VERSION}/ net / n e t f i l t e r /

cp −R copy new modules . sh / usr / s r c / l inux−${KERNEL VERSION}/

cd / usr / s r c / l inux−${KERNEL VERSION}chmod u+x copy new modules . sh. / copy new modules . shcd / root / p r o j e c t / redBorder−ndpi

185


12.15. install-redBorder-Stronghold.sh

#!/bin /bash

######## Fi r s t o f a l l make sure to update theke rne l to the l a t e s t v e r s i on

KERNEL VERSION=$ (uname −r | sed ” s / . i 686 //”)

######## Prepare and compi le k e rne l s ou r c e s and i n s e r tredBorder−ndpi f i l e s ########

# Gathering l i b r a r i e s to bu i ld the ke rne l p roper lyyum i n s t a l l rng−t o o l s . i 686yum i n s t a l l rpm−bu i ld redhat−rpm−c on f i g un ide fyum i n s t a l l gcc p a t c hu t i l s xmlto a s c i i d o c e l f u t i l s − l i b e l f −deve le l f u t i l s −deve l z l i b−deve l b i nu t i l s−deve l newt−deve l python−deve laudit−l i b s−deve l b i son f l e x hmaccalc per l−ExtUti l s−Embed

# Download l a s t k e rne l s ou r c e s from the o f f i c i a l webs i tecdwget http :// vau l t . centos . org /6 .5/ updates /Source /SPackages/ kerne l−${KERNEL VERSION} . s r c . rpm

# I n s t a l l rpm packet downloadedrpm −ivh kerne l−${KERNEL VERSION} . s r c . rpm

# Before we s ta r t , the re i s need to make systemto gen gpg key by rng−t o o l srngd −r /dev/urandom

# Prepare ke rne l s ou r c e scdcd rpmbuild/SPECSrpmbuild −bp ke rne l . spec

# Moving sour c e s to / usr / s r ccp −R / root / rpmbuild/BUILD/ kerne l−${KERNEL VERSION}/ l inux−${KERNEL VERSION} . i 686 / usr / s r c /

# Patching ke rne l and a c t i v a t e new f e a t u r e s inthe ke rne l c on f i gu r a t i on

cdcd p r o j e c t / redBorder−ndpi /patchcp ndpi −2 .6 . 32 . patch / usr / s r c /cd / usr / s r c /patch −p0 < ndpi −2 .6 . 32 . patchcd l inux−${KERNEL VERSION} . i 686 /

186


#we need to remove inc lude /asm tobe ab le to compi le k e rne l a f t e r the patch

rm −r f i n c lude /asmmake menuconfigmakecdcd p r o j e c t / redBirder−ndpi /patch. / inser t new modules . sh

###### Prepare and compi le redBorder−ndpi ########

# Al l o ca t i ng source code proper lycd / usr / s r c /mkdir redBorder−ndpiln −s l inux−${KERNEL VERSION} . i 686 / l inux−dp i p r o j e c tcdcd p r o j e c t / redBorder−ndpi /cp −R nDPI/ / usr / s r c / redBorder−ndpi /cp −R http . c / usr / s r c / redBorder−ndpi

# I n s t a l l i n g patched nDPIcd / usr / s r c / redBorder−ndpi /nDPI/chmod u+x i n s t a l l n d p i . sh. / i n s t a l l n d p i . sh

187


12.16. insert new modules.sh

#!/bin /bash


s e r v i c e i p t a b l e s stops e r v i c e i p 6 t ab l e s stopcp −R modules /∗ / l i b /modules/$KERNEL VERSION/ extrarmmod n f deg rag ipv4rmmod ipt REJECTrmmod ip6t REJECTdepmod −amodprobe n f d e f r a g i p v 4modprobe n f connt ra ck ipv4modprobe n f connt rackmodprobe x t l 7 s t a t emodprobe x t ndp i c on t r o ls e r v i c e i p t a b l e s r e s t a r t

188


12.17. install-trafficgen.sh

#− I n s t a l a r herramientas de d e s a r r o l l o :LANG=C yum g r oup i n s t a l l ”Development t o o l s ”” Server Platform Development”yum i n s t a l l wi resharkpushd / usr / s r c

#− Descargar l a ult ima ve r s i on de l ibpcapwget http ://www. tcpdump . org / r e l e a s e / l ibpcap −1 . 3 . 0 . ta r . gz &&tar xz f l ibpcap −1 . 3 . 0 . t a r . gz &&pushd l ibpcap −1.5 .3 && ./ con f i gu r e &&make &&make i n s t a l l &&popd

#− Descargar l i bdne t l ibpcapnav tcpdump :wget −O l ibdnet −1.11. ta r . gz ”http :// downloads . s ou r c e f o r g e . net /p r o j e c t / l i bdne t / l i bdne t / l ibdnet −1.11/ l ibdnet −1.11. ta r . gz ?r=http %3A%2F%2Fl ibdnet . s ou r c e f o r g e . net %2F&ts =1349957140&use mi r ro r=f r e e f r ”ta r xz f l ibdnet −1.11. ta r . gz &&pushd l ibdnet −1.11 &&./ con f i gu r e &&make &&make i n s t a l l &&popdwget ”http :// downloads . s ou r c e f o r g e . net /netdude/ l ibpcapnav −0.8 . ta r . gz” &&tar xz f l ibpcapnav −0.8 . ta r . gz && pushd l ibpcapnav −0.8 && ./ con f i gu r e &&make &&make i n s t a l l &&popdwget http ://www. tcpdump . org / r e l e a s e /tcpdump−4 . 3 . 0 . ta r . gz &&tar xz f tcpdump−4 . 5 . 1 . t a r . gz &&pushd tcpdump−4.5 .1 &&./ con f i gu r e &&make &&make i n s t a l l &&popd

#− Descargar f u en t e s de t cprep lay :wget −O tcprep lay −3 . 4 . 4 . t a r . gz ”http :// downloads . s ou r c e f o r g e . net / p r o j e c t/ t cprep lay / t cprep lay /3 . 4 . 4 / tcprep lay −3 . 4 . 4 . t a r . gz ? r=http %3A%2F%2Fsource fo rge . net %2Fpro j e c t s %2Ftcpreplay %2F&ts =1349955503&use mi r ro r=f r e e f r ” &&tar xz f tcprep lay −4 . 0 . 3 . t a r . gz &&pushd tcprep lay −4.0 .3 &&./ con f i gu r e &&make &&

189


make i n s t a l l &&popd

#PROCEDIMIENTO para i n s t a l a c i o n de fprobe :

#− Descargar l a ult ima ve r s i on de fprobewget −O fprobe −1.1 . ta r . bz2 ”http :// downloads . s ou r c e f o r g e . net /p r o j e c t / fprobe / fprobe /1 .1/ fprobe −1.1 . ta r . bz2? r=http %3A%2F%2Fsource fo rge . net %2Fpro j e c t s %2Ffprobe %2F&ts =1389265446&use mi r ro r=czn i c ” &&tar x j f fprobe −1.1 . ta r . bz2 &&pushd fprobe −1.1 &&./ con f i gu r e &&make &&make i n s t a l l &&popdpopd

#− I n s t a l a r f low−t o o l srpm −ivh http :// d l . f e d o r ap r o j e c t . org /pub/ epe l /6/x86 64 / epe l−r e l e a s e −6−8.noarch . rpmyum i n s t a l l f low−t o o l s

190

12.1. comparativa modelos paloalto networks

Documents