Show page

Differences

This shows you the differences between two versions of the page.

--- ep:labs:04:contents:tasks:ex1 [2021/09/27 22:38]
radu.mantu [01. [??p] Primer / Reminder]
+++ ep:labs:04:contents:tasks:ex1 [2023/10/29 21:08] (current)
radu.mantu
@@ Line 1: / Line 1: @@
-==== 01. [??p] Primer / Reminder ====
+==== 01. [40p] Primer / Reminder ====
-=== [??p] Task A - tcpdump ===
+<note tip>
+//Pro tip #1//: since you'll be using **man** a lot in this exercise, add this to your //.bashrc// or //.zshrc//:
+<code bash>
+# color schemes for man pages
+man() {
+    LESS_TERMCAP_mb=$'\e[1;34m'   \
+    LESS_TERMCAP_md=$'\e[1;32m'   \
+    LESS_TERMCAP_so=$'\e[1;33m'   \
+    LESS_TERMCAP_us=$'\e[1;4;31m' \
+    LESS_TERMCAP_me=$'\e[0m'      \
+    LESS_TERMCAP_se=$'\e[0m'      \
+    LESS_TERMCAP_ue=$'\e[0m'      \
+    command man "$@"
+}
+</code>
+Source the file and test that it works.
+</note>
+=== [20p] Task A - tcpdump ===
-**tcpdump** is network traffic monitoring tool. At its core, it uses **libpcap** which in turn uses a technology called **Extended Berkley Packet Filter (eBPF)**.
+**tcpdump** is a network traffic monitoring tool. At its core, it uses **libpcap** which in turn uses a technology called **Extended Berkley Packet Filter (eBPF)**.
-**eBPF** was first proposed around 1995 when filtering mechanisms (and firewalls) were still a novel concept and were based on interpreters. **BPF** (now referred to as Classic BPF - **cBPF**) was the initial version of a Motorola inspired virtual ISA (i.e.: had no hardware implementation -- think **CHIP-8**).
+**BPF** was first proposed around 1995 when filtering mechanisms (and firewalls) were still a novel concept and were based on interpreters. **BPF** (now referred to as Classic BPF - **cBPF**) was the initial version of a Motorola inspired virtual ISA (i.e.: had no hardware implementation -- think **CHIP-8**). **eBPF** is basically still **BPF** but more compatible with 64-bit architectures so that Just In Time (JIT) translators have an easier time running the code.
-The whole idea was to compile a packet filtering program and attach it to a socket in kernelspace. This program would filter out packets that the userspace process would not be interested in and reduce the quantity of data copied over the kernelspace/userspace boundary, only to ultimately be discarded.
+At first, the whole idea was to compile packet filtering programs and attach them to sockets in kernelspace. These programs would filter out packets that userspace processes would not be interested in. Consequently, this would reduce the quantity of data copied over the kernelspace/userspace boundary, only to ultimately be discarded.
-Today, **eBPF** is used heavily for system profiling by companies such as Netflix and Facebook. **tcpdump** is one of the few examples that still use it for its original purpose. Ask your assistant if you want to know more about **eBPF** tracing (not part of the lab, don't panic!)
+Today, **eBPF** is used heavily for system profiling by companies such as Netflix and Facebook. Linux has had a kernel VM capable of running and statically analyzing **eBPF** code since around 2006. **tcpdump** is one of the few examples that still use it for its original purpose.
 == The Task ==
@@ Line 18: / Line 37: @@
   * print the packet number
   * print the elapsed time (in nanoseconds) since the first packet was captured
-  * print the content of each packet (w/o l2 header) in hex and ASCII
+  * print the content of each packet (without l2 header) in hex and ASCII
   * do not resolve IP addresses to names
@@ Line 40: / Line 59: @@
 </solution>
-=== [??p] Task B - iptables ===
+=== [20p] Task B - iptables ===
 **iptables** is a configuration tool for the kernel packet filter.
@@ Line 46: / Line 65: @@
 The system as a whole provides many functionalities that are grouped by **tables**: //filter, nat, mangle, raw, security//. If you want to alter a packet header, you place a rule in the //mangle// table. If you want to mask the private IP address of an internal host with the external IP address of the default gateway, you place a rule in the //nat// table. Depending on the table you choose, you will gain or lose access to some chains. If not specified, the default is the //filter// table.
-**Chains** are basically lists of rules. The five built-in chains are //PREROUTING, FORWARD, POSTROUTING, INPUT, OUTPUT//. Each of these corresponds to certain locations in the network stack where packets trigger **Netfilter hooks** ([[https://elixir.bootlin.com/linux/latest/source/net/ipv4/ip_input.c#L540|here]] is the //PREROUTING// kernel hook as an example -- not that hard to add one, right?) For a selected chain, the order in which the rules are evaluated is determined primarily by the priority of their tables and secondarily by the user's discretionary arrangement (i.e.: order in which rules are inserted).
+**Chains** are basically lists of rules. The five built-in chains are //PREROUTING, FORWARD, POSTROUTING, INPUT, OUTPUT//. Each of these corresponds to certain locations in the network stack where packets trigger **Netfilter hooks** ([[https://elixir.bootlin.com/linux/v6.5.9/source/net/ipv4/ip_input.c#L569|here]] is the //PREROUTING// kernel hook as an example -- not that hard to add one, right?) For a selected chain, the order in which the rules are evaluated is determined primarily by the priority of their tables and secondarily by the user's discretionary arrangement (i.e.: order in which rules are inserted).
 {{ :ep:labs:04:contents:tasks:iptables_path.png?800 |}}
+<html>
+<center>
+<b>Figure 1:</b> Netfilter hooks; each has a subset of associated tables. Tables categorize the actions (i.e.: targets) taken when a match occurs. E.g: NAT cannot be performed on the FORWARD chain. When multiple rules exist on the same chain, their processing order is primarily determined by the priority of the table they are defined in.
+</center>
+</html>
 A **rule** consists of two entities: a sequence of match criteria and a jump target.
@@ Line 54: / Line 78: @@
 The **jump target** represents an action to be taken. You are most likely familiar with the built-in actions such as //ACCEPT// or //DROP//. These actions decide the ultimate fate of the packet and are final (i.e.: rule iteration stops when these are invoked). However, there are also extended actions (see ''man iptables-extensions(8)'') that are not terminal verdicts and can be used for various tasks such as auditing, forced checksum recalculation or removal of Explicit Congestion Notification (ECN) bits.
-The **match criteria** of every rule are checked to determine if the jump target is applied. The way this is designed is very elegant: every type of feature (e.g.: l3 IP address vs l4 port) that you can check has a match callback function defined in the kernel. If you want, you can write your own such function in a Linux Kernel Module (LKM) and thus extend the functionality of **iptables** ([[https://inai.de/documents/Netfilter_Modules.pdf|Writing Netfilter Modules]] with code example). However, you will need to implement a userspace shared library counterpart. When you start an **iptables** process, it searches in ///usr/lib/xtables/ // and automatically loads certain shared libraries (note: this path can be overwritten or extended using the //XTABLES_LIBDIR// environment variable). Each library there must do three things:
+The **match criteria** of every rule are checked to determine if the jump target is applied. The way this is designed is very elegant: every type of feature (e.g.: Layer 3 IP address vs Layer 4 port) that you can check has a match callback function defined in the kernel. If you want, you can write your own such function in a Linux Kernel Module (LKM) and thus extend the functionality of **iptables** ([[https://inai.de/documents/Netfilter_Modules.pdf|Writing Netfilter Modules]] with code example). However, you will need to implement a userspace shared library counterpart. When you start an **iptables** process, it searches in ///usr/lib/xtables/ // and automatically loads certain shared libraries (note: this path can be overwritten or extended using the //XTABLES_LIBDIR// environment variable). Each library there must do three things:
   * define **iptables** flags for the new criteria that you want to include.
   * define help messages for when ''**iptables** %%--%%help'' is called (its help message is an amalgamation of each library's help snippet).
   * provide an initialization function for the structure containing the rule parameters; this structure will end up in the kernel's rule chain.
-So when you want to test the efficiency of the **iptables** rule evaluation process, keep in mind that each rule may imply the invocation of multiple callbacks.
+So when you want to test the efficiency of the **iptables** rule evaluation process, keep in mind that each rule may imply the invocation of multiple callbacks such as [[https://elixir.bootlin.com/linux/latest/source/net/netfilter/xt_tcpudp.c#L66|this]].
 == The Task (1) ==
@@ Line 74: / Line 98: @@
 <note tip>
+**multiport**, **owner** modules
 <code bash>
 $ man 8 iptables-extensions
@@ Line 108: / Line 135: @@
 <note tip>
+**bpf** module
 <code bash>
 $ man 8 iptables-extensions nfbpf_compile
 </code>
+----
+If you are working on Ubuntu, there is a chance that **nfbpf_compile** did not come with the **iptables** package (oh Canonical... maybe there's something in the //Universe// repos?). \\
+Anyway, you can still install it manually:
+<code bash>
+$ sudo apt install libpcap-dev
+$ wget https://raw.githubusercontent.com/netgroup-polito/iptables/master/utils/nfbpf_compile.c
+$ gcc -o nfbpf_compile nfbpf_compile.c -lpcap
+</code>
+Also, use this [[https://www.mankier.com/8/nfbpf_compile|man page]] rather than installing it separately.
 </note>

General Information

Lectures

Labs

Resources

Assignments

ep/labs/04/contents/tasks/ex1.1632771482.txt.gz · Last modified: 2021/09/27 22:38 by radu.mantu

Show page Old revisions

Media Manager Back to top