12.1. comparativa modelos paloalto networks

Proyecto Fin de Carrera Departamento de Ingenierıa Telematica

12. Anexos

12.1. Comparativa modelos paloalto networks

12.2. Configuracion de un Virtual Switch en VMware ESXi

Figura 54: Configuracion un Virtual Switch: Paso 1

12.3. install ndpi.sh

#!/bin /bash

KERNEL VERSION=$ (uname −r )

# L i b r e r i a s y a c t u a l i z a c i o n e s p r ev i a s

yum i n s t a l l vimyum i n s t a l l svnyum i n s t a l l g i tyum i n s t a l l unzipyum i n s t a l l z ipyum i n s t a l l gccyum i n s t a l l ncurses−deve lyum i n s t a l l i p t ab l e s−deve lyum i n s t a l l kerne l−deve lyum i n s t a l l l ibmnl−deve lyum i n s t a l l automakeyum i n s t a l l l i b t o o lyum i n s t a l l l i b t o o l−l t d l−deve l

# In s t a l a c i o n nDPI (manual )# Nota : se compila con http . c o r i g i n a l

cd / usr / s r c / redBorder−ndpi /nDPI. / c on f i gu r e −−with−p i c −−p r e f i x=/opt/ rb−−s b i nd i r=/opt/ rb/bin −−exec−p r e f i x=/opt/ rbmakemake i n s t a l l

# I n s t a l a c i o n de l modulo para n e t f i l t e r# Nota : se compila con http . c modi f icado s t r t o k r

cp −R . . / http . c / usr / s r c / redBorder−ndpi /nDPI/ s r c / l i b / p r o t o c o l s /cd / usr / s r c / redBorder−ndpi /nDPI/ndpi−n e t f i l t e r /ndpi−n e t f i l t e r −masterLANG=C NDPI PATH=/usr / s r c / redBorder−ndpi /nDPI make#make modu l e s i n s t a l lcp i p t / l i b x t ndp i . so / l i b / x tab l e scp i p t / l i b x t ndp i . so / l i b / xtab le s −1.4 .7cp −R sr c / xt ndpi . ko . unsigned / l i b /modules/${KERNEL VERSION}/ ext ra / xt ndpi . kodepmod −amodprobe xt ndpis e r v i c e i p t a b l e s r e s t a r t

12.4. redBorder-ndpi-source.sh

#!/bin /bash

######## Fi r s t o f a l l make sure to update theke rne l to the l a t e s t v e r s i on

KERNEL VERSION=$ (uname −r | sed ” s / . i 686 //”)

######## Prepare and compi le k e rne l s ou r c e s and i n s e r tredBorder−ndpi f i l e s ########

# Gathering l i b r a r i e s to bu i ld the ke rne l p roper lyyum i n s t a l l rng−t o o l s . i 686yum i n s t a l l rpm−bu i ld redhat−rpm−c on f i g un ide fyum i n s t a l l gcc p a t c hu t i l s xmlto a s c i i d o ce l f u t i l s − l i b e l f −deve l e l f u t i l s −deve l z l i b−deve lb i nu t i l s−deve l newt−deve l python−deve l audit−l i b s−deve lb i son f l e x hmaccalc per l−ExtUti l s−Embed

# Download l a s t k e rne l s ou r c e s from the o f f i c i a l webs i tecdwget http :// vau l t . centos . org /6 .5/ updates /Source /SPackages/ kerne l−${KERNEL VERSION} . s r c . rpm

# I n s t a l l rpm packet downloadedrpm −ivh kerne l−${KERNEL VERSION} . s r c . rpm

# Before we s ta r t , the re i s need to makesystem to gen gpg key by rng−t o o l srngd −r /dev/urandom

# Prepare ke rne l s ou r c e scdcd rpmbuild/SPECSrpmbuild −bp ke rne l . spec

# Moving sour c e s to / usr / s r c and compi l ing source codecp −R / root / rpmbuild/BUILD/ kerne l−${KERNEL VERSION}/ l inux−${KERNEL VERSION} . i 686 / usr / s r c /cd / usr / s r c / l inux−${KERNEL VERSION} . i 686 /make

# Replace ke rne l f i l e s and compi le i tcdcd p r o j e c t / redBorder−ndpi / l inux−${KERNEL VERSION} . i 686ln −s / usr / s r c / l inux−${KERNEL VERSION} . i 686 // usr / s r c / l inux−dp i p r o j e c tchmod u+x i n s e r t k e r n e l f i l e s . sh

. / i n s e r t k e r n e l f i l e s . sh

######## Prepare and compi le i p t a b l e s s ou r c e sand i n s e r t redBorder−ndpi f i l e s ########

# Gett ing the source code and a l l o c a t i n g i t proper lycdwget http :// f tp . n e t f i l t e r . org /pub/i p t a b l e s / i p t ab l e s −1 . 4 . 7 . t a r . bz2ta r xvf i p t ab l e s −1 . 4 . 7 . ta r . bz2mv ip t ab l e s −1.4.7/ / usr / s r c

# Compiling and patching i p t a b l e scdcd p r o j e c t / redBorder−ndpi / i p t ab l e s −1.4.7/chmod u+x i n s e r t i p t a b l e s f i l e s . sh. / i n s e r t i p t a b l e s f i l e s . shcd / usr / s r c / i p t ab l e s −1.4.7/. / c on f i gu r emakemake i n s t a l l. / copy new l ibxt . sh

######## Prepare and compi le redBorder−ndpi ########

# Al l o ca t i ng source code proper lymkdir / usr / s r c / redBorder−ndpicp −R nDPI/ / usr / s r c / redBorder−ndpi /cp −R http . c / usr / s r c / redBorder−ndpi

# I n s t a l l i n g patched nDPIcd / usr / s r c / redBorder−ndpi /nDPI/chmod u+x i n s t a l l n d p i . sh. / i n s t a l l n d p i . sh

12.5. xt l7state.c

#inc lude <l i nux /module . h>#inc lude <l i nux / skbu f f . h>#inc lude <net / n e t f i l t e r / n f connt rack . h>#inc lude <l i nux / n e t f i l t e r / x t ab l e s . h>#inc lude <l i nux / n e t f i l t e r / x t l 7 s t a t e . h>

MODULE LICENSE(”GPL” ) ;MODULEAUTHOR(” Se rg i o Mi l lan Rodriguez<sermi lrod@gmai l . com>”);MODULE DESCRIPTION(” ip [ 6 ] t a b l e s connect iont rack ing s t a t e match module f o r l a y e r 7 ” ) ;MODULE ALIAS(” i p t l 7 s t a t e ” ) ;MODULE ALIAS(” i p 6 t l 7 s t a t e ” ) ;

s t a t i c bool l 7 s t a t e c h e c k l 7 s t a t e( unsigned i n t l 7 s t a t e s , const s t r u c t nf conn ∗ ct ){

pr in tk (” statemask : %d\n” , l 7 s t a t e s ) ;switch ( l 7 s t a t e s ){

case 1 : //L7NOINITi f ( ct−>l 7 . l 7 s t a t e [ 0 ] == 1)

return true ;e l s e

re turn f a l s e ;case 2 : //L7UNKNOWN

i f ( ct−>l 7 . l 7 s t a t e [ 1 ] == 1)return true ;

e l s ere turn f a l s e ;

case 4 : //L7ACCEPTi f ( ct−>l 7 . l 7 s t a t e [ 2 ] == 1)

re turn f a l s e ;case 6 : //L7UNKNOWN OR L7ACCEPT

i f ( ct−>l 7 . l 7 s t a t e [ 1 ] == 1| | ct−>l 7 . l 7 s t a t e [ 2 ] == 1)

re turn f a l s e ;case 8 : //L7DROP

i f ( ct−>l 7 . l 7 s t a t e [ 3 ] == 1)return true ;

e l s ere turn f a l s e ;

case 16 : //L7CONTINUEi f ( ct−>l 7 . l 7 s t a t e [ 4 ] == 1)

re turn f a l s e ;case 18 : //L7UNKNOWN OR L7CONTINUE

i f ( ct−>l 7 . l 7 s t a t e [ 1 ] == 1| | ct−>l 7 . l 7 s t a t e [ 4 ] == 1)

re turn f a l s e ;}

r e turn f a l s e ;}

s t a t i c booll 7 s t a t e mt ( const s t r u c t s k bu f f ∗skb ,const s t r u c t xt match param ∗par ){

const s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o= par−>matchinfo ;

enum ip c onn t r a c k i n f o c t i n f o ;s t r u c t nf conn ∗ ct ;bool r e t = f a l s e ;

c t = n f c t g e t ( skb , &c t i n f o ) ;i f ( c t != NULL) {

i f ( l 7 s t a t e c h e c k l 7 s t a t e ( s i n f o−>statemask , c t )== true )

r e t = true ;e l s e

r e t = f a l s e ;} e l s e

r e t = f a l s e ;r e turn r e t ;

s t a t i c bool l 7 s t a t e mt check ( const s t r u c t xt mtchk param ∗par ){

i f ( n f c t l 3 p r o t o t r y modu l e g e t ( par−>match−>f ami ly ) < 0) {pr in tk (KERNWARNING ”can ’ t load conntrack support f o r ”

” proto=%u\n” , par−>match−>f ami ly ) ;r e turn f a l s e ;

}r e turn t rue ;

s t a t i c void l 7 s t a t e mt de s t r oy( const s t r u c t xt mtdtor param ∗par ){

n f c t l 3p ro t o modu l e pu t ( par−>match−>f ami ly ) ;}

s t a t i c s t r u c t xt match l 7 s t a t e mt r e g [ ] r e ad mos t l y = {{

. name = ” l 7 s t a t e ” ,

. f ami ly = NFPROTO IPV4,

. checkentry = l7 s ta t e mt check ,

. match = l7s ta te mt ,

. des t roy = l7 s t a t e mt de s t r oy ,

. matchs ize = s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ,

.me = THIS MODULE,} ,{

. name = ” l 7 s t a t e ” ,

. checkentry = l7 s ta t e mt check ,

. match = l7s ta te mt ,

. des t roy = l7 s t a t e mt de s t r oy ,

. matchs ize = s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ,

.me = THIS MODULE,} ,

s t a t i c i n t i n i t l 7 s t a t e m t i n i t ( void ){

r e turn x t r e g i s t e r ma t ch e s( l 7 s t a t e mt r eg , ARRAY SIZE( l 7 s t a t e mt r e g ) ) ;

s t a t i c void e x i t l 7 s t a t e m t e x i t ( void ){

x t un r eg i s t e r mat che s( l 7 s t a t e mt r eg , ARRAY SIZE( l 7 s t a t e mt r e g ) ) ;

modu l e in i t ( l 7 s t a t e m t i n i t ) ;module ex i t ( l 7 s t a t e m t e x i t ) ;

12.6. xt l7state.h

#i f n d e f XT L7STATE H#de f i n e XT L7STATE H

#de f i n e L7MAX 5#de f i n e XT L7STATE BIT( l 7 c t i n f o ) (1 << ( l 7 c t i n f o)%L7MAX )

s t r u c t x t l 7 s t a t e i n f o{

unsigned i n t statemask ;} ;

#end i f /∗ XT L7STATE H∗

12.7. copy new modules.sh

#!/bin /bash

pushd / usr / s r c / l inux−dp i p r o j e c t &>/dev/ nu l lecho ” stopping i p t a b l e s . . . ”s e r v i c e i p t a b l e s stopecho ”Compiling modules . . . ”make modulesecho ”Copying new modules . . . ”f o r n in $ ( f i nd net | grep ”\ . ko \ . unsigned$ ”2>/dev/ nu l l ) ; do

m=$ ( echo $n | sed ’ s / . unsigned // ’ )m=$ ( basename $m)/bin /cp −f $n / l i b /modules/${KERNEL VERSION}/ ext ra /$m

doneecho ”Removing from memory r e s t o f modules . . . ”f o r module in ipt REJECT n f d e f r a g i p v 4n f connt rack ipv4 n f connt rack ; do

rmmod $module &>/dev/ nu l lecho ”Reso lv ing modules dependences . . . ”depmod −amodprobe n f d e f r a g i p v 4modprobe n f connt ra ck ipv4modprobe x t l 7 s t a t emodprobe x t ndp i c on t r o ldones e r v i c e i p t a b l e s r e s t a r techo ”Done ! ”

popd &>/dev/ nu l l

12.8. libxt l7state.c

/∗ Shared l i b r a r y add−on to i p t a b l e s to add l ay e r 7s t a t e t r a ck ing support . ∗/#inc lude <s t d i o . h>#inc lude <netdb . h>#inc lude <s t r i n g . h>#inc lude <s t d l i b . h>#inc lude <getopt . h>#inc lude <x tab l e s . h>#inc lude <l i nux / n e t f i l t e r /nf conntrack common . h>#inc lude <l i nux / n e t f i l t e r / x t l 7 s t a t e . h>

s t a t i c voidl 7 s t a t e h e l p ( void ){

p r i n t f (” s t a t e match opt ions :\n”” [ ! ] −− l 7 s t a t e [ L7NOINIT |L7UNKNOWN|L7ACCEPT |L7DROP

|L7CONTINUE ] [ , . . . ] \ n”” State ( s ) to match\n ” ) ;}

s t a t i c const s t r u c t opt ion l 7 s t a t e o p t s [ ] = {{ ” l 7 s t a t e ” , 1 , NULL, ’1 ’ } ,{ . name = NULL }

s t a t i c i n tl 7 s t a t e p a r s e s t a t e ( const char ∗ l 7 s t a t e , s i z e t len ,s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o ){

i f ( strncasecmp ( l 7 s t a t e , ”L7NOINIT” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7NOINIT ) ;

e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7UNKNOWN” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7UNKNOWN) ;

e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7ACCEPT” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7ACCEPT ) ;

e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7DROP” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7DROP ) ;

e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7CONTINUE” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7CONTINUE ) ;

e l s ere turn 0 ;

r e turn 1 ;}

s t a t i c voidl 7 s t a t e p a r s e s t a t e s ( const char ∗arg ,

s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o ){

const char ∗comma ;

whi l e ( (comma = s t r ch r ( arg , ’ , ’ ) ) != NULL) {i f (comma == arg | |

! l 7 s t a t e p a r s e s t a t e ( arg , comma−arg , s i n f o ) )x t a b l e s e r r o r (PARAMETERPROBLEM,

”Bad s t a t e \”%s \”” , arg ) ;arg = comma+1;

}i f ( ! ∗ arg )

x t a b l e s e r r o r (PARAMETERPROBLEM, ”\”−− l 7 s t a t e \”r e qu i r e s a l i s t o f ”” s t a t e s with no spaces , e . g . ””L7UNKNOWN,L7DROP\n””L7ACCEPT” ) ;

i f ( s t r l e n ( arg ) == 0 | |! l 7 s t a t e p a r s e s t a t e ( arg , s t r l e n ( arg ) , s i n f o ) )

x t a b l e s e r r o r (PARAMETERPROBLEM,”Bad s t a t e \”%s \”” , arg ) ;

s t a t i c i n tl 7 s t a t e p a r s e ( i n t c , char ∗∗argv , i n t inver t , unsigned i n t ∗ f l a g s ,

const void ∗ entry ,s t r u c t xt entry match ∗∗match )

{s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o =( s t r u c t x t l 7 s t a t e i n f o ∗ ) (∗match)−>data ;

switch ( c ) {case ’ 1 ’ :

x t a b l e s c h e c k i n v e r s e ( optarg , &inver t , &optind ,0 , argv ) ;

l 7 s t a t e p a r s e s t a t e s ( optarg , s i n f o ) ;i f ( i n v e r t )

s i n f o−>statemask = ˜ s in f o−>statemask ;∗ f l a g s = 1 ;break ;

d e f au l t :r e turn 0 ;

r e turn 1 ;}

s t a t i c void l 7 s t a t e f i n a l c h e c k ( unsigned i n t f l a g s ){

i f ( ! f l a g s )x t a b l e s e r r o r (PARAMETERPROBLEM,”You must s p e c i f y \”−− l 7 s t a t e \”” ) ;

s t a t i c void l 7 s t a t e p r i n t s t a t e ( unsigned i n t statemask ){

const char ∗ sep = ”” ;

i f ( statemask & XT L7STATE BIT(IP CT L7NOINIT ) ) {p r i n t f (”%sL7NOINIT” , sep ) ;sep = ” , ” ;

}i f ( statemask & XT L7STATE BIT(IP CT L7UNKNOWN)) {

p r i n t f (”%sL7UNKNOWN” , sep ) ;sep = ” , ” ;

}i f ( statemask & XT L7STATE BIT(IP CT L7ACCEPT) ) {

p r i n t f (”%sL7ACCEPT” , sep ) ;sep = ” , ” ;

}i f ( statemask & XT L7STATE BIT(IP CT L7DROP) ) {

p r i n t f (”%sL7DROP” , sep ) ;sep = ” , ” ;

}i f ( statemask & XT L7STATE BIT(IP CT L7CONTINUE) ) {

p r i n t f (”%sL7CONTINUE” , sep ) ;sep = ” , ” ;

}p r i n t f (” ” ) ;

s t a t i c voidl 7 s t a t e p r i n t ( const void ∗ ip ,

const s t r u c t xt entry match ∗match ,i n t numeric )

{const s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o =( const void ∗)match−>data ;

p r i n t f (” l 7 s t a t e ” ) ;l 7 s t a t e p r i n t s t a t e ( s i n f o−>statemask ) ;

s t a t i c void l 7 s t a t e s a v e ( const void ∗ ip ,const s t r u c t xt entry match ∗match ){

const s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o =( const void ∗)match−>data ;

p r i n t f (”−− l 7 s t a t e ” ) ;l 7 s t a t e p r i n t s t a t e ( s i n f o−>statemask ) ;

s t a t i c s t r u c t xtables match l7 s ta t e match = {. f ami ly = NFPROTOUNSPEC,. name = ” l 7 s t a t e ” ,. v e r s i on = XTABLES VERSION,. s i z e = XT ALIGN( s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ) ,. u s e r s p a c e s i z e = XT ALIGN( s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ) ,. he lp = l 7 s t a t e h e l p ,. parse = l 7 s t a t e p a r s e ,. f i n a l c h e c k = l 7 s t a t e f i n a l c h e c k ,. p r i n t = l 7 s t a t e p r i n t ,. save = l 7 s t a t e s a v e ,. e x t r a op t s = l 7 s t a t e op t s ,

void i n i t ( void ){

x t ab l e s r e g i s t e r ma t ch (& l7 s ta t e match ) ;}

12.9. main.c

∗∗ This f i l e i s part o f nDPI ,∗ an open source deep packet i n sp e c t i on∗ l i b r a r y based on the PACE technology by ipoque GmbH∗∗ This program i s f r e e so f tware ; you can r e d i s t r i b u t e i t and/ or∗ modify i t under the terms o f the GNU General Publ ic L i cense∗ as pub l i shed by the Free Software Foundation ; v e r s i on 2∗ o f the L icense .∗∗ This program i s d i s t r i b u t e d in the hope that i t w i l l be u se fu l ,∗ but WITHOUT ANY WARRANTY; without even the impl i ed warranty o f∗ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the∗ GNU General Publ ic L i cense f o r more d e t a i l s .∗∗ You should have r e c e i v ed a copy o f the GNU General Publ ic L i cense∗ along with t h i s program ; i f not , wr i t e to the Free Software∗ Foundation , Inc . , 51 Frankl in Street , F i f th Floor , Boston ,∗ MA 02110−1301 , USA.∗/

#inc lude <l i nux / ke rne l . h>#inc lude <l i nux / i n i t . h>#inc lude <l i nux /module . h>#inc lude <l i nux / ve r s i on . h>#inc lude <l i nux / n e t f i l t e r / x t ab l e s . h>#inc lude <l i nux / skbu f f . h>#inc lude <l i nux / ip . h>#inc lude <l i nux / tcp . h>#inc lude <l i nux /udp . h>#inc lude <l i nux / i f e t h e r . h>#inc lude <l i nux / rb t r e e . h>#inc lude <l i nux / k r e f . h>#inc lude <l i nux / time . h>

#inc lude <net / n e t f i l t e r / n f connt rack . h>#inc lude <net / n e t f i l t e r / n f connt rack ecache . h>

#inc lude ”ndpi main . h”#inc lude ” xt ndpi . h”

MODULE LICENSE(”GPL” ) ;MODULEAUTHOR(”G. El ian Gidoni <geg@gnu . org >”);

MODULE DESCRIPTION(”nDPI wrapper ” ) ;MODULE ALIAS(” i p t ndp i ” ) ;

#de f i n e L7MAX 5#de f i n e L7ACCEPT 2#de f i n e L7DROP 3#de f i n e L7CONTINUE 4

s t a t i c void s e t l 7 s t a t e ( s t r u c t nf conn ∗ ct , unsigned i n t s t a t e ){

unsigned i n t i ;

ct−>l 7 . l im i t op t i on = 0 ;// d e f au l t l im i t opt ion unsetct−>l 7 . ac topt i on = 0 ;// d e f au l t ac t i on opt ion unsetf o r ( i = 0 ; i < L7MAX; i++) {

ct−>l 7 . l 7 s t a t e [ i ] = 0 ;i f ( i == s t a t e )

ct−>l 7 . l 7 s t a t e [ i ] = 1 ;// s e t the s t a t e f o r packet d e c i s i o n

s t a t i c bool c oun t e r l im i t ( s t r u c t nf conn ∗ ct ){

i f ( ct−>l 7 . l 7 s t a t e [ 2 ] == 1| | ct−>l 7 . l 7 s t a t e [ 3 ] == 1| | ct−>l 7 . l 7 s t a t e [ 4 ] == 1){

r e turn t rue ;// the re i s a l ay e r 7 ac t i on ac t i va t ed yetct−>l 7 . l im i t = 0 ;

i f ( ct−>l 7 . l im i t == 0 && ct−>l 7 . l im i t op t i on != 0){ct−>l 7 . l im i t++;re turn true ;

} e l s e i f ( ct−>l 7 . l im i t op t i on > ct−>l 7 . l im i t ) {ct−>l 7 . l im i t++;re turn true ;

} e l s e i f ( ct−>l 7 . l im i t op t i on == 0) {r e turn t rue ;

} e l s e {s e t l 7 s t a t e ( ct , L7DROP) ;ct−>l 7 . l im i t = 0 ;re turn f a l s e ;

}r e turn t rue ;

/∗ f l ow t rack ing ∗/s t r u c t o sdp i f l ow node {

s t r u c t rb node node ;s t r u c t nf conn ∗ ct ;/∗ r e s u l t only , not used f o r f low i d e n t i f i c a t i o n ∗/u32 de t e c t ed p r o t o c o l ;/∗ l a s t po in t e r a s s i gned at run time ∗/s t r u c t ndp i f l ow s t r u c t ∗ ndp i f l ow ;

/∗ id t r a ck ing ∗/s t r u c t o sdp i i d node {

s t r u c t rb node node ;s t r u c t k r e f r e f c n t ;union n f i n e t add r ip ;/∗ l a s t po in t e r a s s i gned at run time ∗/s t r u c t ndp i i d s t r u c t ∗ ndp i id ;

s t a t i c u32 s i z e i d s t r u c t = 0 ;s t a t i c u32 s i z e f l o w s t r u c t = 0 ;

s t a t i c s t r u c t rb roo t o s dp i f l ow r o o t = RBROOT;s t a t i c s t r u c t rb roo t o s dp i i d r o o t = RBROOT;

s t a t i c s t r u c t kmem cache ∗ o sdp i f l ow ca che r ead mos t l y ;s t a t i c s t r u c t kmem cache ∗ o sdp i i d c a ch e r ead mos t l y ;

s t a t i c NDPI PROTOCOL BITMASK protoco l s b i tmask ;s t a t i c atomic t p r o t o c o l s c n t [NDPI LAST IMPLEMENTED PROTOCOL ] ;

DEFINE SPINLOCK( f l ow l o c k ) ;DEFINE SPINLOCK( i d l o c k ) ;DEFINE SPINLOCK( i pq l o c k ) ;

/∗ de t e c t i on ∗/s t a t i c s t r u c t ndp i d e t e c t i on modu l e s t ru c t ∗ ndp i s t r u c t = NULL;s t a t i c u32 d e t e c t i o n t i c k r e s o l u t i o n = 1000 ;

/∗ debug func t i on s ∗/

s t a t i c void debug pr in t f ( u32 protoco l , void ∗ i d s t r u c t ,n d p i l o g l e v e l t l o g l e v e l ,const char ∗ format , . . . )

{/∗ do nothing ∗/

v a l i s t args ;v a s t a r t ( args , format ) ;switch ( l o g l e v e l ){

case NDPI LOG ERROR:vpr intk ( format , args ) ;break ;

case NDPI LOG TRACE:vpr intk ( format , args ) ;break ;

case NDPI LOG DEBUG:vpr intk ( format , args ) ;break ;

}va end ( args ) ;

s t a t i c void ∗malloc wrapper ( unsigned long s i z e ){

r e turn kmalloc ( s i z e , GFP KERNEL) ;}

s t a t i c void f r e e wrapper ( void ∗ f r e e a b l e ){

k f r e e ( f r e e a b l e ) ;}

s t a t i c s t r u c t o sdp i f l ow node ∗ndp i f l ow s ea r ch ( s t r u c t rb roo t ∗ root , s t r u c t nf conn ∗ ct ){

s t r u c t o sdp i f l ow node ∗data ;s t r u c t rb node ∗node = root−>rb node ;

whi l e ( node ) {data = rb ent ry ( node , s t r u c t osdp i f l ow node ,node ) ;

i f ( c t < data−>ct )node = node−>r b l e f t ;

e l s e i f ( c t > data−>ct )

node = node−>r b r i g h t ;e l s e

re turn data ;}

r e turn NULL;}

s t a t i c i n tn dp i f l ow i n s e r t ( s t r u c t rb roo t ∗ root ,s t r u c t o sdp i f l ow node ∗data ){

s t r u c t o sdp i f l ow node ∗ t h i s ;s t r u c t rb node ∗∗new =&(root−>rb node ) , ∗parent = NULL;

whi l e (∗new) {t h i s = rb ent ry (∗new ,s t r u c t osdp i f l ow node , node ) ;

parent = ∗new ;i f ( data−>ct < th i s−>ct )

new = &((∗new)−> r b l e f t ) ;e l s e i f ( data−>ct > th i s−>ct )

new = &((∗new)−> r b r i g h t ) ;e l s e

re turn 0 ;}rb l i nk node (&data−>node , parent , new ) ;r b i n s e r t c o l o r (&data−>node , root ) ;

r e turn 1 ;}

s t a t i c s t r u c t o sdp i i d node ∗ndp i i d s e a r ch ( s t r u c t rb roo t ∗ root , union n f i n e t add r ∗ ip ){

i n t r e s ;s t r u c t o sdp i i d node ∗data ;s t r u c t rb node ∗node = root−>rb node ;

whi l e ( node ) {data = rb ent ry ( node ,s t r u c t osdp i id node , node ) ;r e s = memcmp( ip , &data−>ip ,s i z e o f ( union n f i n e t add r ) ) ;

i f ( r e s < 0)node = node−>r b l e f t ;

e l s e i f ( r e s > 0)node = node−>r b r i g h t ;

e l s ere turn data ;

r e turn NULL;}

s t a t i c i n tn d p i i d i n s e r t ( s t r u c t rb roo t ∗ root , s t r u c t o sdp i i d node ∗data ){

i n t r e s ;s t r u c t o sdp i i d node ∗ t h i s ;s t r u c t rb node ∗∗new = &(root−>rb node ), ∗parent = NULL;

whi l e (∗new) {t h i s = rb ent ry (∗new ,s t r u c t osdp i id node , node ) ;r e s = memcmp(&data−>ip , &th i s−>ip ,s i z e o f ( union n f i n e t add r ) ) ;

parent = ∗new ;i f ( r e s < 0)

new = &((∗new)−> r b l e f t ) ;e l s e i f ( r e s > 0)

new = &((∗new)−> r b r i g h t ) ;e l s e

re turn 0 ;}rb l i nk node (&data−>node , parent , new ) ;r b i n s e r t c o l o r (&data−>node , root ) ;

r e turn 1 ;}

s t a t i c voidn d p i i d r e l e a s e ( s t r u c t k r e f ∗ k r e f ){

s t r u c t o sdp i i d node ∗ id ;

id = con t a i n e r o f ( kre f , s t r u c t osdp i id node ,r e f c n t ) ;r b e r a s e (&id−>node , &o s dp i i d r o o t ) ;kmem cache free ( o sdp i i d cache , id ) ;

s t a t i c s t r u c t o sdp i f l ow node ∗ndp i a l l o c f l ow ( s t r u c t nf conn ∗ ct ){

s t r u c t o sdp i f l ow node ∗ f l ow ;

sp i n l o ck bh (& f l ow l o c k ) ;f low = ndp i f l ow s ea r ch (&osdp i f l ow roo t , c t ) ;i f ( f low != NULL){

sp in un lock bh (& f l ow l o c k ) ;r e turn f low ;

}f l ow = kmem cache zal loc ( o sdp i f l ow cache ,GFP ATOMIC) ;i f ( f low == NULL){

p r e r r (” xt ndpi : couldn ’ t a l l o c a t e new f low .\n ” ) ;sp in un lock bh (& f l ow l o c k ) ;r e turn NULL;

}f low−>ct = ct ;f low−>ndp i f l ow = ( s t r u c t ndp i f l ow s t r u c t ∗)

( ( char∗)& flow−>ndp i f l ow+s i z e o f ( f low−>ndp i f l ow ) ) ;n dp i f l ow i n s e r t (&o sdp i f l ow roo t , f low ) ;sp in un lock bh (& f l ow l o c k ) ;

r e turn f low ;}

s t a t i c voidndp i f r e e f l ow ( s t r u c t nf conn ∗ ct ){

s t r u c t o sdp i f l ow node ∗ f l ow ;

sp i n l o ck bh (& f l ow l o c k ) ;f low = ndp i f l ow s ea r ch (&osdp i f l ow roo t , c t ) ;i f ( f low != NULL){

r b e r a s e (&flow−>node , &o sdp i f l ow r o o t ) ;kmem cache free ( o sdp i f l ow cache , f low ) ;

}sp in un lock bh (& f l ow l o c k ) ;

s t a t i c s t r u c t o sdp i i d node ∗ndp i a l l o c i d ( union n f i n e t add r ∗ ip ){

s p i n l o ck bh (& i d l o c k ) ;id = ndp i i d s e a r ch (&o sdp i i d r o o t , ip ) ;i f ( id != NULL){

k r e f g e t (&id−>r e f c n t ) ;} e l s e {

id = kmem cache zal loc ( o sdp i i d cache ,GFP ATOMIC) ;

i f ( id == NULL){p r e r r (” xt ndpi : couldn ’ t a l l o c a t enew id .\n ” ) ;sp in un lock bh (& i d l o c k ) ;r e turn NULL;

}memcpy(&id−>ip , ip , s i z e o f ( union n f i n e t add r ) ) ;id−>ndp i id = ( s t r u c t ndp i i d s t r u c t ∗)

( ( char∗)&id−>ndp i id+s i z e o f ( id−>ndp i id ) ) ;k r e f i n i t (&id−>r e f c n t ) ;n d p i i d i n s e r t (&o sdp i i d r o o t , id ) ;

}sp in un lock bh (& i d l o c k ) ;

r e turn id ;}

s t a t i c voidn dp i f r e e i d ( union n f i n e t add r ∗ ip ){

s p i n l o ck bh (& i d l o c k ) ;id = ndp i i d s e a r ch (&o sdp i i d r o o t , ip ) ;i f ( id != NULL)

k r e f pu t (&id−>r e f cn t , n d p i i d r e l e a s e ) ;sp in un lock bh (& i d l o c k ) ;

s t a t i c voidndp i enab l e p r o t o c o l s ( const s t r u c t x t ndp i mt in fo ∗ i n f o )

{i n t i ;

f o r ( i = 1 ; i <= NDPI LAST IMPLEMENTED PROTOCOL; i++){i f (NDPI COMPARE PROTOCOL TO BITMASK( in fo−>f l a g s , i ) != 0){

sp i n l o ck bh (& ipq l o c k ) ;a tomic inc (&p r o t o c o l s c n t [ i −1 ] ) ;NDPI ADD PROTOCOL TO BITMASK( protoco l s b i tmask , i ) ;ndp i s e t p r o t o c o l d e t e c t i o n b i tma sk2

( ndp i s t ruc t ,& pro toco l s b i tmask ) ;sp in un lock bh (& ipq l o c k ) ;

s t a t i c voidndp i d i s a b l e p r o t o c o l s ( const s t r u c t x t ndp i mt in fo ∗ i n f o ){

i n t i ;

f o r ( i = 1 ; i <= NDPI LAST IMPLEMENTED PROTOCOL; i++){i f (NDPI COMPARE PROTOCOL TO BITMASK( in fo−>f l a g s , i ) != 0){

sp i n l o ck bh (& ipq l o c k ) ;i f ( a tomi c dec and te s t(&p r o t o c o l s c n t [ i −1])){

NDPI DEL PROTOCOL FROM BITMASK( protoco l s b i tmask , i ) ;ndp i s e t p r o t o c o l d e t e c t i o n b i tma sk2

( ndp i s t ruc t ,&pro toco l s b i tmask ) ;

}sp in un lock bh (& ipq l o c k ) ;

#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )

s t a t i c i n tndp i connt rack event ( s t r u c t n o t i f i e r b l o c k ∗ th i s , unsigned long ev ,

void ∗ data ){

s t r u c t nf conn ∗ ct = ( s t r u c t nf conn ∗) data ;union n f i n e t add r ∗ src , ∗dst ;

i f ( c t == &nf connt rack unt racked )re turn NOTIFY DONE;

i f ( ev & IPCT DESTROY){s r c = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . s r c . u3 ;dst = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . dst . u3 ;

n d p i f r e e i d ( s r c ) ;n d p i f r e e i d ( dst ) ;n dp i f r e e f l ow ( ct ) ;

r e turn NOTIFY DONE;}

s t a t i c s t r u c t n o t i f i e r b l o c ko s d p i n o t i f i e r = {

. n o t i f i e r c a l l = ndpi conntrack event ,} ;

#e l s es t a t i c i n tndp i connt rack event ( unsigned i n t events , s t r u c t n f c t e v e n t ∗ item ){

s t r u c t nf conn ∗ ct = item−>ct ;union n f i n e t add r ∗ src , ∗dst ;

i f ( c t == &nf connt rack unt racked )re turn 0 ;

i f ( events & (1 << IPCT DESTROY)){s r c = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . s r c . u3 ;dst = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . dst . u3 ;

n d p i f r e e i d ( s r c ) ;n d p i f r e e i d ( dst ) ;n dp i f r e e f l ow ( ct ) ;

r e turn 0 ;}

s t a t i c s t r u c t n f c t e v e n t n o t i f i e ro s d p i n o t i f i e r = {

. f cn = ndpi conntrack event ,} ;

#end i f

s t a t i c u32ndp i p ro c e s s packe t ( s t r u c t nf conn ∗ ct , const u i n t 64 t time ,

const s t r u c t iphdr ∗ iph , u i n t 16 t i p s i z e ){

u32 proto = NDPIPROTOCOLUNKNOWN;union n f i n e t add r ∗ i p s r c , ∗ i pd s t ;s t r u c t o sdp i i d node ∗ src , ∗dst ;s t r u c t o sdp i f l ow node ∗ f l ow ;

sp i n l o ck bh (& f l ow l o c k ) ;f low = ndp i f l ow s ea r ch (&osdp i f l ow roo t , c t ) ;sp in un lock bh (& f l ow l o c k ) ;i f ( f low == NULL){

f l ow = ndp i a l l o c f l ow ( ct ) ;i f ( f low == NULL)

return proto ;}

i p s r c = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . s r c . u3 ;

s p i n l o ck bh (& i d l o c k ) ;s r c = ndp i i d s e a r ch (&o sdp i i d r o o t , i p s r c ) ;sp in un lock bh (& i d l o c k ) ;i f ( s r c == NULL) {

s r c = ndp i a l l o c i d ( i p s r c ) ;i f ( s r c == NULL)

return proto ;}

i pd s t = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . dst . u3 ;

s p i n l o ck bh (& i d l o c k ) ;dst = ndp i i d s e a r ch (&o sdp i i d r o o t , i pd s t ) ;sp in un lock bh (& i d l o c k ) ;i f ( dst == NULL) {

dst = ndp i a l l o c i d ( i pd s t ) ;i f ( dst == NULL)

return proto ;}

/∗ here the ac tua l d e t e c t i on i s performed ∗/sp i n l o ck bh (& ipq l o c k ) ;proto = ndp i d e t e c t i o n p r o c e s s pa ck e t ( ndp i s t ruc t ,f low−>ndpi f low , ( u i n t 8 t ∗) iph , i p s i z e ,time , src−>ndpi id , dst−>ndp i id ) ;f low−>de t e c t ed p r o t o c o l = proto ;sp in un lock bh (& ipq l o c k ) ;

r e turn proto ;}

#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )s t a t i c boolndpi mt ( const s t r u c t s k bu f f ∗skb ,

const s t r u c t n e t d ev i c e ∗ in ,const s t r u c t n e t d ev i c e ∗out ,const s t r u c t xt match ∗match ,const void ∗matchinfo ,i n t o f f s e t ,unsigned i n t p ro t o f f ,bool ∗hotdrop )

#e l i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 35 )s t a t i c boolndpi mt ( const s t r u c t s k bu f f ∗skb , const s t r u c t xt match param ∗par )#e l s es t a t i c boolndpi mt ( const s t r u c t s k bu f f ∗skb , s t r u c t xt act ion param ∗par )#end i f{

u32 proto ;u64 time ;

#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )const s t r u c t x t ndp i mt in fo ∗ i n f o = matchinfo ;

#e l s econst s t r u c t x t ndp i mt in fo ∗ i n f o = par−>matchinfo ;

#end i f

enum ip c onn t r a c k i n f o c t i n f o ;s t r u c t nf conn ∗ ct ;s t r u c t t imeval tv ;s t r u c t s k bu f f ∗ l i n e a r i z e d s k b = NULL;const s t r u c t s k bu f f ∗ skb use = NULL;

i f ( s k b i s n o n l i n e a r ( skb ) ){l i n e a r i z e d s k b = skb copy ( skb , GFP ATOMIC) ;

i f ( l i n e a r i z e d s k b == NULL) {p r i n f o (” xt ndpi : l i n e a r i z a t i o n f a i l e d .\n ” ) ;r e turn f a l s e ;

}skb use = l i n e a r i z e d s k b ;

} e l s e {skb use = skb ;

ct = n f c t g e t ( skb use , &c t i n f o ) ;i f ( c t == NULL){

i f ( l i n e a r i z e d s k b != NULL){k f r e e s kb ( l i n e a r i z e d s k b ) ;

r e turn f a l s e ;#i f LINUX VERSION CODE < KERNEL VERSION(3 , 0 , 0 )

} e l s e i f ( n f c t i s u n t r a c k e d ( skb ) ){#e l s e

} e l s e i f ( n f c t i s u n t r a c k e d ( ct ) ){#end i f

p r i n f o (” xt ndpi : i gno r i ng untracked s k bu f f .\n ” ) ;r e turn f a l s e ;

}do gett imeofday(&tv ) ;

time = ( ( u i n t 64 t ) tv . t v s e c ) ∗ d e t e c t i o n t i c k r e s o l u t i o n +tv . tv u s e c / (1000000 / d e t e c t i o n t i c k r e s o l u t i o n ) ;

// f i r s t time we load ndpi module , we change l ay e r 7 s t a t e and e x i ti f ( ct−>l 7 . l 7 s t a t e [ 0 ] == 1){

ct−>l 7 . l 7 s t a t e [ 0 ] = 0 ; // L7NOINIT f a l s ect−>l 7 . l 7 s t a t e [ 1 ] = 1 ; // L7UNKNOWN truere turn true ;

} e l s e {

i f ( c oun t e r l im i t ( c t ) == true ) {

/∗ proce s s the packet ∗/proto = ndp i p roc e s s packe t ( ct , time ,ip hdr ( skb use ) , skb use−>l en ) ;

i f ( l i n e a r i z e d s k b != NULL){k f r e e s kb ( l i n e a r i z e d s k b ) ;

i f (NDPI COMPARE PROTOCOL TO BITMASK( in fo−>f l a g s , proto ) != 0){ // match

// a po l i c y ac t i on has been r equ i r ed// f o r a l ay e r 7 packetswitch ( ct−>l 7 . ac topt i on ) {

case 1 : // L7ACCEPTi f ( ct−>l 7 . a c t i o n f l a g != 0)

s e t l 7 s t a t e ( ct , L7ACCEPT) ;// s e t ac t i on

break ;case 2 : // L7DROP

i f ( ct−>l 7 . a c t i o n f l a g != 0)s e t l 7 s t a t e ( ct , L7DROP) ;// s e t ac t i on

break ;case 3 : // L7CONTINUE

i f ( ct−>l 7 . a c t i o n f l a g != 0)s e t l 7 s t a t e ( ct , L7CONTINUE) ;// s e t ac t i on

break ;d e f au l t :// no ac t i on r equ i r ed yet// or ac t i on i s s e t

break ;}

r e turn t rue ;} e l s e// no match , keep L7 UNKNOWN l 7 s t a t e

re turn true ;} e l s e

re turn f a l s e ; // window lenght exp i red}

r e turn f a l s e ;}

#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )s t a t i c boolndpi mt check ( const char ∗ tablename ,

const void ∗ ip ,const s t r u c t xt match ∗match ,void ∗matchinfo ,unsigned i n t hook mask )

const s t r u c t x t ndp i mt in fo ∗ i n f o = matchinfo ;

i f (NDPI BITMASK IS ZERO( in fo−>f l a g s ) ){p r i n f o (”None s e l e c t e d p ro to co l .\n ” ) ;r e turn f a l s e ;

ndp i enab l e p r o t o c o l s ( i n f o ) ;

r e turn n f c t l 3 p r o t o t r y modu l e g e t (match−>f ami ly ) == 0 ;}

#e l i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 35 )s t a t i c boolndpi mt check ( const s t r u c t xt mtchk param ∗par ){

const s t r u c t x t ndp i mt in fo ∗ i n f o = par−>matchinfo ;

i f (NDPI BITMASK IS ZERO( in fo−>f l a g s ) ){p r i n f o (”None s e l e c t e d p ro to co l .\n ” ) ;r e turn f a l s e ;

r e turn n f c t l 3 p r o t o t r y modu l e g e t ( par−>f ami ly ) == 0 ;}#e l s es t a t i c i n tndpi mt check ( const s t r u c t xt mtchk param ∗par ){

i f (NDPI BITMASK IS ZERO( in fo−>f l a g s ) ){p r i n f o (”None s e l e c t e d p ro to co l .\n ” ) ;r e turn −EINVAL;

r e turn n f c t l 3 p r o t o t r y modu l e g e t ( par−>f ami ly ) ;}#end i f

#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )

s t a t i c voidndpi mt dest roy ( const s t r u c t xt match ∗match , void ∗matchinfo ){

const s t r u c t x t ndp i mt in fo ∗ i n f o = matchinfo ;

n dp i d i s a b l e p r o t o c o l s ( i n f o ) ;n f c t l 3p ro t o modu l e pu t (match−>f ami ly ) ;

#e l s es t a t i c voidndpi mt dest roy ( const s t r u c t xt mtdtor param ∗par ){

n dp i d i s a b l e p r o t o c o l s ( i n f o ) ;n f c t l 3p ro t o modu l e pu t ( par−>f ami ly ) ;

#end i f

s t a t i c void ndpi c l eanup ( void ){

s t r u c t rb node ∗ next ;s t r u c t o sdp i i d node ∗ id ;s t r u c t o sdp i f l ow node ∗ f l ow ;

ndp i ex i t d e t e c t i on modu l e ( ndp i s t ruc t , f r e e wrapper ) ;

#i f LINUX VERSION CODE < KERNEL VERSION(3 , 2 , 0 )n f c o n n t r a c k u n r e g i s t e r n o t i f i e r (& o s d p i n o t i f i e r ) ;

#e l s en f c o n n t r a c k u n r e g i s t e r n o t i f i e r (& i n i t n e t ,& o s d p i n o t i f i e r ) ;

#end i f

/∗ f r e e a l l o b j e c t s be f o r e de s t roy ing caches ∗/next = r b f i r s t (& o sdp i f l ow r o o t ) ;whi l e ( next ){

f l ow = rb ent ry ( next , s t r u c t osdp i f l ow node , node ) ;next = rb next (&flow−>node ) ;r b e r a s e (&flow−>node , &o sdp i f l ow r o o t ) ;kmem cache free ( o sdp i f l ow cache , f low ) ;

}kmem cache destroy ( o sdp i f l ow ca che ) ;

next = r b f i r s t (& o s dp i i d r o o t ) ;whi l e ( next ){

id = rb ent ry ( next , s t r u c t osdp i id node , node ) ;next = rb next (&id−>node ) ;r b e r a s e (&id−>node , &o s dp i i d r o o t ) ;kmem cache free ( o sdp i i d cache , id ) ;

}kmem cache destroy ( o sdp i i d c a ch e ) ;

s t a t i c s t r u c t xt matchndpi mt reg r ead mos t l y = {

. name = ”ndpi ” ,

. r e v i s i o n = 0 ,#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )

. f ami ly = AF INET ,#e l s e

. f ami ly = NFPROTO IPV4,#end i f

. match = ndpi mt ,

. checkentry = ndpi mt check ,

. des t roy = ndpi mt destroy ,

. matchs ize = s i z e o f ( s t r u c t x t ndp i mt in fo ) ,

.me = THIS MODULE,} ;

s t a t i c i n t i n i t ndp i mt in i t ( void ){

i n t ret , i ;

p r i n f o (” xt ndpi 0 . 1 (nDPI wrapper module ) . \ n ” ) ;/∗ i n i t g l oba l d e t e c t i on s t r u c tu r e ∗/ndp i s t r u c t = ndp i i n i t d e t e c t i on modu l e (d e t e c t i o n t i c k r e s o l u t i o n , malloc wrapper , f r ee wrapper ,( void ∗) debug pr in t f ) ;

i f ( ndp i s t r u c t == NULL) {p r e r r (” xt ndpi : g l oba l s t r u c tu r ei n i t i a l i z a t i o n f a i l e d .\n ” ) ;r e t = −ENOMEM;goto e r r ou t ;

f o r ( i = 0 ; i < NDPI LAST IMPLEMENTED PROTOCOL; i++){atomic s e t (&p r o t o c o l s c n t [ i ] , 0 ) ;

/∗ d i s ab l e a l l p r o t o c o l s ∗/NDPI BITMASK RESET( pro toco l s b i tmask ) ;

ndp i s e t p r o t o c o l d e t e c t i o n b i tma sk2 ( ndp i s t ruc t ,&pro toco l s b i tmask ) ;

/∗ a l l o c a t e memory f o r id and f low t rack ing ∗/s i z e i d s t r u c t = ndp i d e t e c t i o n g e t s i z e o f n d p i i d s t r u c t ( ) ;s i z e f l o w s t r u c t = ndp i d e t e c t i o n g e t s i z e o f n d p i f l ow s t r u c t ( ) ;

o sdp i f l ow ca che = kmem cache create (” x t ndp i f l ow s ” ,s i z e o f ( s t r u c t o sdp i f l ow node ) +s i z e f l ow s t r u c t ,0 , 0 , NULL) ;

i f ( ! o sdp i f l ow ca che ){p r e r r (” xt ndpi : e r r o r c r e a t i n g f low cache .\n ” ) ;r e t = −ENOMEM;goto e r r i p q ;

o sdp i i d c a ch e = kmem cache create (” x t ndp i i d s ” ,s i z e o f ( s t r u c t o sdp i i d node ) +s i z e i d s t r u c t ,0 , 0 , NULL) ;

i f ( ! o s dp i i d c a ch e ){p r e r r (” xt ndpi : e r r o r c r e a t i n g i d s cache .\n ” ) ;r e t = −ENOMEM;goto e r r f l ow ;

#i f LINUX VERSION CODE < KERNEL VERSION(3 , 2 , 0 )r e t = n f c o n n t r a c k r e g i s t e r n o t i f i e r (& o s d p i n o t i f i e r ) ;

#e l s er e t = n f c o n n t r a c k r e g i s t e r n o t i f i e r (& i n i t n e t ,& o s d p i n o t i f i e r ) ;

#end i fi f ( r e t < 0){

p r e r r (” xt ndpi : e r r o r r e g i s t e r i n g n o t i f i e r .\n ” ) ;goto e r r i d ;

r e t = x t r e g i s t e r ma t ch (&ndpi mt reg ) ;i f ( r e t != 0){

p r e r r (” xt ndpi : e r r o r r e g i s t e r i n g ndpi match .\n ” ) ;ndpi c l eanup ( ) ;

r e turn r e t ;

e r r i d :kmem cache destroy ( o sdp i i d c a ch e ) ;

e r r f l ow :kmem cache destroy ( o sdp i f l ow ca che ) ;

e r r i p q :ndp i ex i t d e t e c t i on modu l e ( ndp i s t ruc t , f r e e wrapper ) ;

e r r ou t :r e turn r e t ;

s t a t i c void e x i t ndp i mt ex i t ( void ){

p r i n f o (” xt ndpi 1 . 2 unload .\n ” ) ;

x t unreg i s t e r match (&ndpi mt reg ) ;

ndpi c l eanup ( ) ;}

modu l e in i t ( ndp i mt in i t ) ;module ex i t ( ndp i mt ex i t ) ;

12.10. xt ndpicontrol.c

#inc lude <l i nux /module . h>#inc lude <l i nux / skbu f f . h>#inc lude <net / n e t f i l t e r / n f connt rack . h>#inc lude <l i nux / n e t f i l t e r / x t ab l e s . h>#inc lude <l i nux / n e t f i l t e r / x t ndp i c on t r o l . h>

MODULE LICENSE(”GPL” ) ;MODULEAUTHOR(” Se rg i o Mi l lan Rodriguez<sermi lrod@gmai l . com>”);

MODULE DESCRIPTION(” ip [ 6 ] t a b l e s a u x i l i a r ymodule f o r redBorder ndpi ” ) ;MODULE ALIAS(” i p t ndp i c on t r o l ” ) ;MODULE ALIAS(” i p 6 t ndp i c on t r o l ” ) ;

s t a t i c boolndpicontro l mt ( const s t r u c t s k bu f f ∗skb ,const s t r u c t xt match param ∗par ){

const s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o = par−>matchinfo ;enum ip c onn t r a c k i n f o c t i n f o ;s t r u c t nf conn ∗ ct ;bool ret1 , r e t 2 ;

r e t 1 = f a l s e ;r e t 2 = f a l s e ;c t = n f c t g e t ( skb , &c t i n f o ) ;i f ( c t != NULL) {

i f ( in fo−>ac t i on == 1) {// L7ACCEPTct−>l 7 . ac topt i on = in fo−>ac t i on ;ct−>l 7 . a c t i o n f l a g = 1 ;r e t1 = true ;

}e l s e i f ( in fo−>ac t i on == 2) {// L7DROP

ct−>l 7 . ac topt i on = in fo−>ac t i on ;ct−>l 7 . a c t i o n f l a g = 1 ;r e t1 = true ;

}e l s e i f ( in fo−>ac t i on == 3) {// L7CONTINUE

ct−>l 7 . ac topt i on = in fo−>ac t i on ;ct−>l 7 . a c t i o n f l a g = 1 ;r e t1 = true ;

i f ( in fo−>l im i t == 3) {ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;

}e l s e i f ( in fo−>l im i t == 4) {

ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;

}} e l s e

r e t 1 = f a l s e ;

r e turn ( r e t1 ∗ r e t 2 ) ;}

s t a t i c bool ndp icont ro l mt check ( const s t r u c t xt mtchk param ∗par ){

i f ( n f c t l 3 p r o t o t r y modu l e g e t ( par−>match−>f ami ly ) < 0) {pr in tk (KERNWARNING ”can ’ t load conntrack support f o r ”

” proto=%u\n” , par−>match−>f ami ly ) ;r e turn f a l s e ;

}r e turn t rue ;

s t a t i c void ndp i cont ro l mt de s t roy ( const s t r u c t xt mtdtor param ∗par ){

n f c t l 3p ro t o modu l e pu t ( par−>match−>f ami ly ) ;}

s t a t i c s t r u c t xt match ndp i cont ro l mt r eg [ ] r e ad mos t l y = {{

. name = ” ndp i cont ro l ” ,

. checkentry = ndpicontro l mt check ,

. match = ndpicontro l mt ,

. des t roy = ndp icont ro l mt des t roy ,

. matchs ize = s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ,

.me = THIS MODULE,} ,{

. name = ” ndp i cont ro l ” ,

. checkentry = ndpicontro l mt check ,

. match = ndpicontro l mt ,

. des t roy = ndp icont ro l mt des t roy ,

. matchs ize = s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ,

.me = THIS MODULE,} ,

} ;s t a t i c i n t i n i t ndp i c on t r o l mt i n i t ( void ){

r e turn x t r e g i s t e r ma t ch e s ( ndp icont ro l mt reg ,ARRAY SIZE( ndp i cont ro l mt r eg ) ) ;

}s t a t i c void e x i t ndp i c on t r o l mt ex i t ( void ){

x t un r eg i s t e r mat che s ( ndp icont ro l mt reg ,ARRAY SIZE( ndp i cont ro l mt r eg ) ) ;

}modu l e in i t ( ndp i c on t r o l mt i n i t ) ;module ex i t ( ndp i c on t r o l mt ex i t ) ;

12.11. libxt ndpicontrol.c

/∗ aux i l i a r y he lpe r f o r redBorder ndpi ∗/#inc lude <s t d i o . h>#inc lude <netdb . h>#inc lude <s t r i n g . h>#inc lude <s t d l i b . h>#inc lude <getopt . h>#inc lude <x tab l e s . h>#inc lude <l i nux / n e t f i l t e r / x t ndp i c on t r o l . h>

s t a t i c voidndp i c on t r o l h e l p ( void ){

p r i n t f (” This module a l l ows you to extend ndpif u c t i o n s by s e t t i n g the l ay e r 7”

” s t a t e to packet p r o c c e s s i ng and e s t a b l i s h i n gthe acceptance window c r e d i t .\n”” ndp i cont ro l match opt ions :\n”” [ ! ] −−ac t i on [L7ACCEPT |L7DROP |L7CONTINUE\n”” [ ! ] −− l im i t [ 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 0 ] \ n ” ) ;

s t a t i c const s t r u c t opt ion ndp i c on t r o l op t s [ ] = {{ . name = ” ac t i on ” , . has arg = true , . va l = ’1 ’ } ,{ . name = ” l im i t ” , . has arg = true , . va l = ’2 ’ }

s t a t i c i n tndp i c on t r o l p a r s e a c t i o n ( const char ∗ option ,s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o ){

i f ( strcmp ( option , ”L7ACCEPT”) == 0)in fo−>ac t i on = 1 ;

e l s e i f ( strcmp ( option , ”L7DROP”) == 0)in fo−>ac t i on = 2 ;

e l s e i f ( strcmp ( option , ”L7CONTINUE”) == 0)in fo−>ac t i on = 3 ;

e l s ere turn 0 ;

r e turn 1 ;}

s t a t i c i n tn dp i c o n t r o l p a r s e l im i t ( const char ∗ option ,s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o ){

i f ( strcmp ( option , ”3”) == 0)in fo−>l im i t = 3 ;

e l s e i f ( strcmp ( option , ”4”) == 0)in fo−>l im i t = 4 ;

e l s ere turn 0 ;

r e turn 1 ;}

s t a t i c i n tndp i c on t r o l pa r s e ( i n t c , char ∗∗argv , i n t inver t ,

unsigned i n t ∗ f l a g s ,const void ∗ entry ,s t r u c t xt entry match ∗∗match )

{s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o =( void ∗ ) (∗match)−>data ;

switch ( c ) {case ’ 1 ’ :

∗ f l a g s = 1 ;i f ( ndp i c on t r o l p a r s e a c t i o n ( optarg , i n f o ) == 0)

x t a b l e s e r r o r (PARAMETERPROBLEM,”Bad opt ion provided . ””You must s p e c i f y−−ac t i on [L7ACCEPT |L7DROP |L7CONTINUE]\n ” ) ;

break ;case ’ 2 ’ :

∗ f l a g s = 1 ;i f ( n dp i c o n t r o l p a r s e l im i t ( optarg , i n f o ) == 0)

x t a b l e s e r r o r (PARAMETERPROBLEM,”Bad opt ion provided . ””You must s p e c i f y−− l im i t [ 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 0 ] \ n ” ) ;

break ;d e f au l t :

r e turn 0 ;}

r e turn 1 ;}

s t a t i c void ndp i c o n t r o l f i n a l c h e c k ( unsigned i n t f l a g s ){

i f ( ! f l a g s )x t a b l e s e r r o r (PARAMETERPROBLEM,”You must s p e c i f y :−−ac t i on [L7ACCEPT |L7DROP |L7CONTINUE]−− l im i t [ 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 0 ] \ n ” ) ;

s t a t i c voidndp i c on t r o l p r i n t ( const void ∗ ip ,

const s t r u c t xt entry match ∗match ,i n t numeric )

{const s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o =( const void ∗)match−>data ;

i f ( in fo−>ac t i on == 1)p r i n t f (” ndp i cont ro l :−−ac t i on L7ACCEPT−− l im i t %d” , in fo−>l im i t ) ;

e l s e i f ( in fo−>ac t i on == 2)p r i n t f (” ndp i cont ro l :−−ac t i on L7DROP−− l im i t %d” , in fo−>l im i t ) ;

e l s e i f ( in fo−>ac t i on == 3)p r i n t f (” ndp i cont ro l :−−ac t i on L7CONTINUE−− l im i t %d” , in fo−>l im i t ) ;

e l s ex t a b l e s e r r o r (PARAMETERPROBLEM,”An e r r o r occurred when par s ing arguments\n ” ) ;

s t a t i c void ndp i c on t r o l s av e ( const void ∗ ip ,const s t r u c t xt entry match ∗match ){

const s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o =( const void ∗)match−>data ;

s t a t i c s t r u c t xtables match ndpicontro l match = {. f ami ly = NFPROTOUNSPEC,. name = ” ndp i cont ro l ” ,. v e r s i on = XTABLES VERSION,. s i z e =XT ALIGN( s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ) ,. u s e r s p a c e s i z e =XT ALIGN( s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ) ,. he lp = ndp i cont ro l he lp ,. parse = ndp i cont ro l pa r s e ,. f i n a l c h e c k = ndp i c on t r o l f i n a l c h e c k ,. p r i n t = ndp i c on t r o l p r i n t ,. save = ndp i cont ro l s ave ,. e x t r a op t s = ndp i cont ro l op t s ,

void i n i t ( void ){

x t ab l e s r e g i s t e r ma t ch (&ndpicontro l match ) ;}

12.12. copy new libxt.sh

#!/bin /bash

echo ”Compiling l i b r a r i e s . . . ”makeecho ”Copying the shared l i b r a r y l i b x t l 7 s t a t e . so . . . ”cp −R ext en s i on s / l i b x t l 7 s t a t e . so / l i b / xtab le s −1.4.7/echo ”Copying the shared l i b r a r y l i b x t ndp i c o n t r o l . so . . . ”cp −R ext en s i on s / l i b x t ndp i c o n t r o l . so / l i b / xtab le s −1.4.7/depmodecho ”Checking module x t l 7 s t a t e . . . ”modprobe x t l 7 s t a t eecho ”Checking module x t ndp i c on t r o l . . . ”modprobe x t ndp i c on t r o lecho ”Done ! ”

12.13. insert iptables files.sh

#!/bin /bash

cp −R l i b x t ndp i c o n t r o l . c / usr / s r c / i p t ab l e s −1.4.7/ ex t en s i on s /cp −R l i b x t l 7 s t a t e . c / usr / s r c / i p t ab l e s −1.4.7/ ex t en s i on s /

cp −R x t l 7 s t a t e . h / usr / s r c / i p t ab l e s −1.4.7/ in c lude / l i nux / n e t f i l t e r /cp −R xt ndp i c on t r o l . h / usr / s r c / i p t ab l e s −1.4.7/ in c lude / l i nux / n e t f i l t e rcp −R nf conntrack common . h / usr / s r c / i p t ab l e s −1.4.7/in c lude / l i nux / n e t f i l t e r

cp −R copy new l ibxt . sh / usr / s r c / i p t ab l e s −1.4.7/

12.14. insert kernel files.sh

#!/bin /bash

cp −R xt ndp i c on t r o l . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R x t l 7 s t a t e . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R nf conn t r a ck p ro t o t cp . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R nf connt rack proto udp . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R n f c onn t r a c k p r o t o udp l i t e . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /

cp −R nf connt rack . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude/net / n e t f i l t e r /cp −R nf conntrack common . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude / l i nux / n e t f i l t e r /cp −R x t l 7 s t a t e . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude/ l i nux / n e t f i l t e r /cp −R xt ndp i c on t r o l . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude / l i nux / n e t f i l t e r /

cp −R Kconfig / usr / s r c / l inux−${KERNEL VERSION}/ net / n e t f i l t e r /cp −R Makef i l e / usr / s r c / l inux−${KERNEL VERSION}/ net / n e t f i l t e r /

cp −R copy new modules . sh / usr / s r c / l inux−${KERNEL VERSION}/

cd / usr / s r c / l inux−${KERNEL VERSION}chmod u+x copy new modules . sh. / copy new modules . shcd / root / p r o j e c t / redBorder−ndpi

12.15. install-redBorder-Stronghold.sh

#!/bin /bash

######## Fi r s t o f a l l make sure to update theke rne l to the l a t e s t v e r s i on

KERNEL VERSION=$ (uname −r | sed ” s / . i 686 //”)

######## Prepare and compi le k e rne l s ou r c e s and i n s e r tredBorder−ndpi f i l e s ########

# Gathering l i b r a r i e s to bu i ld the ke rne l p roper lyyum i n s t a l l rng−t o o l s . i 686yum i n s t a l l rpm−bu i ld redhat−rpm−c on f i g un ide fyum i n s t a l l gcc p a t c hu t i l s xmlto a s c i i d o c e l f u t i l s − l i b e l f −deve le l f u t i l s −deve l z l i b−deve l b i nu t i l s−deve l newt−deve l python−deve laudit−l i b s−deve l b i son f l e x hmaccalc per l−ExtUti l s−Embed

# Download l a s t k e rne l s ou r c e s from the o f f i c i a l webs i tecdwget http :// vau l t . centos . org /6 .5/ updates /Source /SPackages/ kerne l−${KERNEL VERSION} . s r c . rpm

# I n s t a l l rpm packet downloadedrpm −ivh kerne l−${KERNEL VERSION} . s r c . rpm

# Before we s ta r t , the re i s need to make systemto gen gpg key by rng−t o o l srngd −r /dev/urandom

# Prepare ke rne l s ou r c e scdcd rpmbuild/SPECSrpmbuild −bp ke rne l . spec

# Moving sour c e s to / usr / s r ccp −R / root / rpmbuild/BUILD/ kerne l−${KERNEL VERSION}/ l inux−${KERNEL VERSION} . i 686 / usr / s r c /

# Patching ke rne l and a c t i v a t e new f e a t u r e s inthe ke rne l c on f i gu r a t i on

cdcd p r o j e c t / redBorder−ndpi /patchcp ndpi −2 .6 . 32 . patch / usr / s r c /cd / usr / s r c /patch −p0 < ndpi −2 .6 . 32 . patchcd l inux−${KERNEL VERSION} . i 686 /

#we need to remove inc lude /asm tobe ab le to compi le k e rne l a f t e r the patch

rm −r f i n c lude /asmmake menuconfigmakecdcd p r o j e c t / redBirder−ndpi /patch. / inser t new modules . sh

###### Prepare and compi le redBorder−ndpi ########

# Al l o ca t i ng source code proper lycd / usr / s r c /mkdir redBorder−ndpiln −s l inux−${KERNEL VERSION} . i 686 / l inux−dp i p r o j e c tcdcd p r o j e c t / redBorder−ndpi /cp −R nDPI/ / usr / s r c / redBorder−ndpi /cp −R http . c / usr / s r c / redBorder−ndpi

# I n s t a l l i n g patched nDPIcd / usr / s r c / redBorder−ndpi /nDPI/chmod u+x i n s t a l l n d p i . sh. / i n s t a l l n d p i . sh

12.16. insert new modules.sh

#!/bin /bash

s e r v i c e i p t a b l e s stops e r v i c e i p 6 t ab l e s stopcp −R modules /∗ / l i b /modules/$KERNEL VERSION/ extrarmmod n f deg rag ipv4rmmod ipt REJECTrmmod ip6t REJECTdepmod −amodprobe n f d e f r a g i p v 4modprobe n f connt ra ck ipv4modprobe n f connt rackmodprobe x t l 7 s t a t emodprobe x t ndp i c on t r o ls e r v i c e i p t a b l e s r e s t a r t

12.17. install-trafficgen.sh

#− I n s t a l a r herramientas de d e s a r r o l l o :LANG=C yum g r oup i n s t a l l ”Development t o o l s ”” Server Platform Development”yum i n s t a l l wi resharkpushd / usr / s r c

#− Descargar l a ult ima ve r s i on de l ibpcapwget http ://www. tcpdump . org / r e l e a s e / l ibpcap −1 . 3 . 0 . ta r . gz &&tar xz f l ibpcap −1 . 3 . 0 . t a r . gz &&pushd l ibpcap −1.5 .3 && ./ con f i gu r e &&make &&make i n s t a l l &&popd

#− Descargar l i bdne t l ibpcapnav tcpdump :wget −O l ibdnet −1.11. ta r . gz ”http :// downloads . s ou r c e f o r g e . net /p r o j e c t / l i bdne t / l i bdne t / l ibdnet −1.11/ l ibdnet −1.11. ta r . gz ?r=http %3A%2F%2Fl ibdnet . s ou r c e f o r g e . net %2F&ts =1349957140&use mi r ro r=f r e e f r ”ta r xz f l ibdnet −1.11. ta r . gz &&pushd l ibdnet −1.11 &&./ con f i gu r e &&make &&make i n s t a l l &&popdwget ”http :// downloads . s ou r c e f o r g e . net /netdude/ l ibpcapnav −0.8 . ta r . gz” &&tar xz f l ibpcapnav −0.8 . ta r . gz && pushd l ibpcapnav −0.8 && ./ con f i gu r e &&make &&make i n s t a l l &&popdwget http ://www. tcpdump . org / r e l e a s e /tcpdump−4 . 3 . 0 . ta r . gz &&tar xz f tcpdump−4 . 5 . 1 . t a r . gz &&pushd tcpdump−4.5 .1 &&./ con f i gu r e &&make &&make i n s t a l l &&popd

#− Descargar f u en t e s de t cprep lay :wget −O tcprep lay −3 . 4 . 4 . t a r . gz ”http :// downloads . s ou r c e f o r g e . net / p r o j e c t/ t cprep lay / t cprep lay /3 . 4 . 4 / tcprep lay −3 . 4 . 4 . t a r . gz ? r=http %3A%2F%2Fsource fo rge . net %2Fpro j e c t s %2Ftcpreplay %2F&ts =1349955503&use mi r ro r=f r e e f r ” &&tar xz f tcprep lay −4 . 0 . 3 . t a r . gz &&pushd tcprep lay −4.0 .3 &&./ con f i gu r e &&make &&

make i n s t a l l &&popd

#PROCEDIMIENTO para i n s t a l a c i o n de fprobe :

#− Descargar l a ult ima ve r s i on de fprobewget −O fprobe −1.1 . ta r . bz2 ”http :// downloads . s ou r c e f o r g e . net /p r o j e c t / fprobe / fprobe /1 .1/ fprobe −1.1 . ta r . bz2? r=http %3A%2F%2Fsource fo rge . net %2Fpro j e c t s %2Ffprobe %2F&ts =1389265446&use mi r ro r=czn i c ” &&tar x j f fprobe −1.1 . ta r . bz2 &&pushd fprobe −1.1 &&./ con f i gu r e &&make &&make i n s t a l l &&popdpopd

#− I n s t a l a r f low−t o o l srpm −ivh http :// d l . f e d o r ap r o j e c t . org /pub/ epe l /6/x86 64 / epe l−r e l e a s e −6−8.noarch . rpmyum i n s t a l l f low−t o o l s

12.1. comparativa modelos paloalto networks

Documents

12.1 aula transcrita

soluções da barracuda networks

a survey on wireless ad hoc networks

agility networks - institucional v20130815b

lesson 6: neural networks

2 elasticidade e plasticidade mota 12.1

catalogo de produtos wdc networks

routing metrics and protocols for wireless mesh networks ·...

mensagens de erro comum no catalyst 6500/6000 series switch...

laminaÇÃo 12.1 res.2mota

storage networks

agility networks - f5 gtm v20131009a

content delivery networks

12.1 introduÇÃo - jorge street

instalação e configuração datasul 12.1

12. turbinas a gás 12.1. introdução

presentacion wings networks sociosonline

catálogo de produtos wdc networks

a10 networks solution benefits - network eventos · ©a10...

o que é a curriculum networks