Differences
This shows you the differences between two versions of the page.
|
isc:labs:kernel:tasks:03 [2021/12/02 11:46] radu.mantu |
isc:labs:kernel:tasks:03 [2021/12/02 16:11] (current) radu.mantu |
||
|---|---|---|---|
| Line 337: | Line 337: | ||
| The kernel module source is organized similarly to the user space plugin. The **dns_name_mt_reg** structure acts as a vtable but also includes information about permissible chains and layer 3 protocols that work with our implementation. Specifically, any rule that makes use of this module can be inserted only in the //OUTPUT// chain, meaning that we can only catch requests originating from our localhost. Moreover, we implement support only for IPv4, not for IPv6. As we can see, this structure is used on module initialization, in **dns_name_mt_init()**, to register our module with the **xtables** framework via **xt_register_match()**. | The kernel module source is organized similarly to the user space plugin. The **dns_name_mt_reg** structure acts as a vtable but also includes information about permissible chains and layer 3 protocols that work with our implementation. Specifically, any rule that makes use of this module can be inserted only in the //OUTPUT// chain, meaning that we can only catch requests originating from our localhost. Moreover, we implement support only for IPv4, not for IPv6. As we can see, this structure is used on module initialization, in **dns_name_mt_init()**, to register our module with the **xtables** framework via **xt_register_match()**. | ||
| - | **dns_name_check()** and **dns_name_mt()** implement the functionalities required of our module. The former performs checks on each newly inserted rule, or at least on the part that pertains to this module. In other words, it must make sure that a valid domain name (i.e.: "."s replaced with length of following label, etc.) was inserted, for example. The latter function is called upon to verify if a packet matches a certain rule. Its first argument does not represent the packet itself, but a [[https://elixir.bootlin.com/linux/latest/source/include/linux/skbuff.h#L721|socket buffer]] structure that contains this information, in addition to much, much more. We made sure to provide you with pointers to our **xt_dns_name_mtinfo** structure, but also to the beginning of the IPv4 header. However, it is up to you to implement this logic and obtain a working match module. | + | **dns_name_check()** and **dns_name_mt()** implement the functionalities required of our module. The former performs checks on each newly inserted rule, or at least on the part that pertains to this module. In other words, it must make sure that a valid domain name (i.e.: "."s replaced with length of following label, etc.) was inserted, for example. The latter function is called upon to verify if a packet matches a certain rule. Its first argument does not represent the packet itself, but a [[https://elixir.bootlin.com/linux/latest/source/include/linux/skbuff.h#L721|socket buffer]] structure (see also [[https://wiki.linuxfoundation.org/networking/sk_buff|this]], and possibly [[https://www.py4u.net/discuss/2125353|this]]) that contains this information, in addition to much, much more. We made sure to provide you with pointers to our **xt_dns_name_mtinfo** structure, but also to the beginning of the IPv4 header. However, it is up to you to implement this logic and obtain a working match module. |
| <spoiler> | <spoiler> | ||
