Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12. Anexos
12.1. Comparativa modelos paloalto networks
139
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
140
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
141
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
142
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
143
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.2. Configuracion de un Virtual Switch en VMware ESXi
Figura 54: Configuracion un Virtual Switch: Paso 1
Figura 55: Configuracion un Virtual Switch: Paso 2
144
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
Figura 56: Configuracion un Virtual Switch: Paso 3
Figura 57: Configuracion un Virtual Switch: Paso 4
145
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
Figura 58: Configuracion un Virtual Switch: Paso 5
Figura 59: Configuracion un Virtual Switch: Paso 6
146
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.3. install ndpi.sh
#!/bin /bash
KERNEL VERSION=$ (uname −r )
# L i b r e r i a s y a c t u a l i z a c i o n e s p r ev i a s
yum i n s t a l l vimyum i n s t a l l svnyum i n s t a l l g i tyum i n s t a l l unzipyum i n s t a l l z ipyum i n s t a l l gccyum i n s t a l l ncurses−deve lyum i n s t a l l i p t ab l e s−deve lyum i n s t a l l kerne l−deve lyum i n s t a l l l ibmnl−deve lyum i n s t a l l automakeyum i n s t a l l l i b t o o lyum i n s t a l l l i b t o o l−l t d l−deve l
# In s t a l a c i o n nDPI (manual )# Nota : se compila con http . c o r i g i n a l
cd / usr / s r c / redBorder−ndpi /nDPI. / c on f i gu r e −−with−p i c −−p r e f i x=/opt/ rb−−s b i nd i r=/opt/ rb/bin −−exec−p r e f i x=/opt/ rbmakemake i n s t a l l
# I n s t a l a c i o n de l modulo para n e t f i l t e r# Nota : se compila con http . c modi f icado s t r t o k r
cp −R . . / http . c / usr / s r c / redBorder−ndpi /nDPI/ s r c / l i b / p r o t o c o l s /cd / usr / s r c / redBorder−ndpi /nDPI/ndpi−n e t f i l t e r /ndpi−n e t f i l t e r −masterLANG=C NDPI PATH=/usr / s r c / redBorder−ndpi /nDPI make#make modu l e s i n s t a l lcp i p t / l i b x t ndp i . so / l i b / x tab l e scp i p t / l i b x t ndp i . so / l i b / xtab le s −1.4 .7cp −R sr c / xt ndpi . ko . unsigned / l i b /modules/${KERNEL VERSION}/ ext ra / xt ndpi . kodepmod −amodprobe xt ndpis e r v i c e i p t a b l e s r e s t a r t
147
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.4. redBorder-ndpi-source.sh
#!/bin /bash
######## Fi r s t o f a l l make sure to update theke rne l to the l a t e s t v e r s i on
KERNEL VERSION=$ (uname −r | sed ” s / . i 686 //”)
######## Prepare and compi le k e rne l s ou r c e s and i n s e r tredBorder−ndpi f i l e s ########
# Gathering l i b r a r i e s to bu i ld the ke rne l p roper lyyum i n s t a l l rng−t o o l s . i 686yum i n s t a l l rpm−bu i ld redhat−rpm−c on f i g un ide fyum i n s t a l l gcc p a t c hu t i l s xmlto a s c i i d o ce l f u t i l s − l i b e l f −deve l e l f u t i l s −deve l z l i b−deve lb i nu t i l s−deve l newt−deve l python−deve l audit−l i b s−deve lb i son f l e x hmaccalc per l−ExtUti l s−Embed
# Download l a s t k e rne l s ou r c e s from the o f f i c i a l webs i tecdwget http :// vau l t . centos . org /6 .5/ updates /Source /SPackages/ kerne l−${KERNEL VERSION} . s r c . rpm
# I n s t a l l rpm packet downloadedrpm −ivh kerne l−${KERNEL VERSION} . s r c . rpm
# Before we s ta r t , the re i s need to makesystem to gen gpg key by rng−t o o l srngd −r /dev/urandom
# Prepare ke rne l s ou r c e scdcd rpmbuild/SPECSrpmbuild −bp ke rne l . spec
# Moving sour c e s to / usr / s r c and compi l ing source codecp −R / root / rpmbuild/BUILD/ kerne l−${KERNEL VERSION}/ l inux−${KERNEL VERSION} . i 686 / usr / s r c /cd / usr / s r c / l inux−${KERNEL VERSION} . i 686 /make
# Replace ke rne l f i l e s and compi le i tcdcd p r o j e c t / redBorder−ndpi / l inux−${KERNEL VERSION} . i 686ln −s / usr / s r c / l inux−${KERNEL VERSION} . i 686 // usr / s r c / l inux−dp i p r o j e c tchmod u+x i n s e r t k e r n e l f i l e s . sh
148
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
. / i n s e r t k e r n e l f i l e s . sh
######## Prepare and compi le i p t a b l e s s ou r c e sand i n s e r t redBorder−ndpi f i l e s ########
# Gett ing the source code and a l l o c a t i n g i t proper lycdwget http :// f tp . n e t f i l t e r . org /pub/i p t a b l e s / i p t ab l e s −1 . 4 . 7 . t a r . bz2ta r xvf i p t ab l e s −1 . 4 . 7 . ta r . bz2mv ip t ab l e s −1.4.7/ / usr / s r c
# Compiling and patching i p t a b l e scdcd p r o j e c t / redBorder−ndpi / i p t ab l e s −1.4.7/chmod u+x i n s e r t i p t a b l e s f i l e s . sh. / i n s e r t i p t a b l e s f i l e s . shcd / usr / s r c / i p t ab l e s −1.4.7/. / c on f i gu r emakemake i n s t a l l. / copy new l ibxt . sh
######## Prepare and compi le redBorder−ndpi ########
# Al l o ca t i ng source code proper lymkdir / usr / s r c / redBorder−ndpicp −R nDPI/ / usr / s r c / redBorder−ndpi /cp −R http . c / usr / s r c / redBorder−ndpi
# I n s t a l l i n g patched nDPIcd / usr / s r c / redBorder−ndpi /nDPI/chmod u+x i n s t a l l n d p i . sh. / i n s t a l l n d p i . sh
149
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.5. xt l7state.c
#inc lude <l i nux /module . h>#inc lude <l i nux / skbu f f . h>#inc lude <net / n e t f i l t e r / n f connt rack . h>#inc lude <l i nux / n e t f i l t e r / x t ab l e s . h>#inc lude <l i nux / n e t f i l t e r / x t l 7 s t a t e . h>
MODULE LICENSE(”GPL” ) ;MODULEAUTHOR(” Se rg i o Mi l lan Rodriguez<sermi lrod@gmai l . com>”);MODULE DESCRIPTION(” ip [ 6 ] t a b l e s connect iont rack ing s t a t e match module f o r l a y e r 7 ” ) ;MODULE ALIAS(” i p t l 7 s t a t e ” ) ;MODULE ALIAS(” i p 6 t l 7 s t a t e ” ) ;
s t a t i c bool l 7 s t a t e c h e c k l 7 s t a t e( unsigned i n t l 7 s t a t e s , const s t r u c t nf conn ∗ ct ){
pr in tk (” statemask : %d\n” , l 7 s t a t e s ) ;switch ( l 7 s t a t e s ){
case 1 : //L7NOINITi f ( ct−>l 7 . l 7 s t a t e [ 0 ] == 1)
return true ;e l s e
re turn f a l s e ;case 2 : //L7UNKNOWN
i f ( ct−>l 7 . l 7 s t a t e [ 1 ] == 1)return true ;
e l s ere turn f a l s e ;
case 4 : //L7ACCEPTi f ( ct−>l 7 . l 7 s t a t e [ 2 ] == 1)
return true ;e l s e
re turn f a l s e ;case 6 : //L7UNKNOWN OR L7ACCEPT
i f ( ct−>l 7 . l 7 s t a t e [ 1 ] == 1| | ct−>l 7 . l 7 s t a t e [ 2 ] == 1)
return true ;e l s e
re turn f a l s e ;case 8 : //L7DROP
i f ( ct−>l 7 . l 7 s t a t e [ 3 ] == 1)return true ;
e l s ere turn f a l s e ;
150
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
case 16 : //L7CONTINUEi f ( ct−>l 7 . l 7 s t a t e [ 4 ] == 1)
return true ;e l s e
re turn f a l s e ;case 18 : //L7UNKNOWN OR L7CONTINUE
i f ( ct−>l 7 . l 7 s t a t e [ 1 ] == 1| | ct−>l 7 . l 7 s t a t e [ 4 ] == 1)
return true ;e l s e
re turn f a l s e ;}
r e turn f a l s e ;}
s t a t i c booll 7 s t a t e mt ( const s t r u c t s k bu f f ∗skb ,const s t r u c t xt match param ∗par ){
const s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o= par−>matchinfo ;
enum ip c onn t r a c k i n f o c t i n f o ;s t r u c t nf conn ∗ ct ;bool r e t = f a l s e ;
c t = n f c t g e t ( skb , &c t i n f o ) ;i f ( c t != NULL) {
i f ( l 7 s t a t e c h e c k l 7 s t a t e ( s i n f o−>statemask , c t )== true )
r e t = true ;e l s e
r e t = f a l s e ;} e l s e
r e t = f a l s e ;r e turn r e t ;
}
s t a t i c bool l 7 s t a t e mt check ( const s t r u c t xt mtchk param ∗par ){
i f ( n f c t l 3 p r o t o t r y modu l e g e t ( par−>match−>f ami ly ) < 0) {pr in tk (KERNWARNING ”can ’ t load conntrack support f o r ”
” proto=%u\n” , par−>match−>f ami ly ) ;r e turn f a l s e ;
}r e turn t rue ;
}
151
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
s t a t i c void l 7 s t a t e mt de s t r oy( const s t r u c t xt mtdtor param ∗par ){
n f c t l 3p ro t o modu l e pu t ( par−>match−>f ami ly ) ;}
s t a t i c s t r u c t xt match l 7 s t a t e mt r e g [ ] r e ad mos t l y = {{
. name = ” l 7 s t a t e ” ,
. f ami ly = NFPROTO IPV4,
. checkentry = l7 s ta t e mt check ,
. match = l7s ta te mt ,
. des t roy = l7 s t a t e mt de s t r oy ,
. matchs ize = s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ,
.me = THIS MODULE,} ,{
. name = ” l 7 s t a t e ” ,
. f ami ly = NFPROTO IPV6,
. checkentry = l7 s ta t e mt check ,
. match = l7s ta te mt ,
. des t roy = l7 s t a t e mt de s t r oy ,
. matchs ize = s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ,
.me = THIS MODULE,} ,
} ;
s t a t i c i n t i n i t l 7 s t a t e m t i n i t ( void ){
r e turn x t r e g i s t e r ma t ch e s( l 7 s t a t e mt r eg , ARRAY SIZE( l 7 s t a t e mt r e g ) ) ;
}
s t a t i c void e x i t l 7 s t a t e m t e x i t ( void ){
x t un r eg i s t e r mat che s( l 7 s t a t e mt r eg , ARRAY SIZE( l 7 s t a t e mt r e g ) ) ;
}
modu l e in i t ( l 7 s t a t e m t i n i t ) ;module ex i t ( l 7 s t a t e m t e x i t ) ;
152
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.6. xt l7state.h
#i f n d e f XT L7STATE H#de f i n e XT L7STATE H
#de f i n e L7MAX 5#de f i n e XT L7STATE BIT( l 7 c t i n f o ) (1 << ( l 7 c t i n f o)%L7MAX )
s t r u c t x t l 7 s t a t e i n f o{
unsigned i n t statemask ;} ;
#end i f /∗ XT L7STATE H∗
12.7. copy new modules.sh
#!/bin /bash
KERNEL VERSION=$ (uname −r )
pushd / usr / s r c / l inux−dp i p r o j e c t &>/dev/ nu l lecho ” stopping i p t a b l e s . . . ”s e r v i c e i p t a b l e s stopecho ”Compiling modules . . . ”make modulesecho ”Copying new modules . . . ”f o r n in $ ( f i nd net | grep ”\ . ko \ . unsigned$ ”2>/dev/ nu l l ) ; do
m=$ ( echo $n | sed ’ s / . unsigned // ’ )m=$ ( basename $m)/bin /cp −f $n / l i b /modules/${KERNEL VERSION}/ ext ra /$m
doneecho ”Removing from memory r e s t o f modules . . . ”f o r module in ipt REJECT n f d e f r a g i p v 4n f connt rack ipv4 n f connt rack ; do
rmmod $module &>/dev/ nu l lecho ”Reso lv ing modules dependences . . . ”depmod −amodprobe n f d e f r a g i p v 4modprobe n f connt ra ck ipv4modprobe x t l 7 s t a t emodprobe x t ndp i c on t r o ldones e r v i c e i p t a b l e s r e s t a r techo ”Done ! ”
popd &>/dev/ nu l l
153
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.8. libxt l7state.c
/∗ Shared l i b r a r y add−on to i p t a b l e s to add l ay e r 7s t a t e t r a ck ing support . ∗/#inc lude <s t d i o . h>#inc lude <netdb . h>#inc lude <s t r i n g . h>#inc lude <s t d l i b . h>#inc lude <getopt . h>#inc lude <x tab l e s . h>#inc lude <l i nux / n e t f i l t e r /nf conntrack common . h>#inc lude <l i nux / n e t f i l t e r / x t l 7 s t a t e . h>
s t a t i c voidl 7 s t a t e h e l p ( void ){
p r i n t f (” s t a t e match opt ions :\n”” [ ! ] −− l 7 s t a t e [ L7NOINIT |L7UNKNOWN|L7ACCEPT |L7DROP
|L7CONTINUE ] [ , . . . ] \ n”” State ( s ) to match\n ” ) ;}
s t a t i c const s t r u c t opt ion l 7 s t a t e o p t s [ ] = {{ ” l 7 s t a t e ” , 1 , NULL, ’1 ’ } ,{ . name = NULL }
} ;
s t a t i c i n tl 7 s t a t e p a r s e s t a t e ( const char ∗ l 7 s t a t e , s i z e t len ,s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o ){
i f ( strncasecmp ( l 7 s t a t e , ”L7NOINIT” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7NOINIT ) ;
e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7UNKNOWN” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7UNKNOWN) ;
e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7ACCEPT” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7ACCEPT ) ;
e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7DROP” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7DROP ) ;
e l s e i f ( strncasecmp ( l 7 s t a t e , ”L7CONTINUE” , l en ) == 0)s i n f o−>statemask |= XT L7STATE BIT(IP CT L7CONTINUE ) ;
e l s ere turn 0 ;
r e turn 1 ;}
s t a t i c voidl 7 s t a t e p a r s e s t a t e s ( const char ∗arg ,
154
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o ){
const char ∗comma ;
whi l e ( (comma = s t r ch r ( arg , ’ , ’ ) ) != NULL) {i f (comma == arg | |
! l 7 s t a t e p a r s e s t a t e ( arg , comma−arg , s i n f o ) )x t a b l e s e r r o r (PARAMETERPROBLEM,
”Bad s t a t e \”%s \”” , arg ) ;arg = comma+1;
}i f ( ! ∗ arg )
x t a b l e s e r r o r (PARAMETERPROBLEM, ”\”−− l 7 s t a t e \”r e qu i r e s a l i s t o f ”” s t a t e s with no spaces , e . g . ””L7UNKNOWN,L7DROP\n””L7ACCEPT” ) ;
i f ( s t r l e n ( arg ) == 0 | |! l 7 s t a t e p a r s e s t a t e ( arg , s t r l e n ( arg ) , s i n f o ) )
x t a b l e s e r r o r (PARAMETERPROBLEM,”Bad s t a t e \”%s \”” , arg ) ;
}
s t a t i c i n tl 7 s t a t e p a r s e ( i n t c , char ∗∗argv , i n t inver t , unsigned i n t ∗ f l a g s ,
const void ∗ entry ,s t r u c t xt entry match ∗∗match )
{s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o =( s t r u c t x t l 7 s t a t e i n f o ∗ ) (∗match)−>data ;
switch ( c ) {case ’ 1 ’ :
x t a b l e s c h e c k i n v e r s e ( optarg , &inver t , &optind ,0 , argv ) ;
l 7 s t a t e p a r s e s t a t e s ( optarg , s i n f o ) ;i f ( i n v e r t )
s i n f o−>statemask = ˜ s in f o−>statemask ;∗ f l a g s = 1 ;break ;
d e f au l t :r e turn 0 ;
}
r e turn 1 ;}
155
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
s t a t i c void l 7 s t a t e f i n a l c h e c k ( unsigned i n t f l a g s ){
i f ( ! f l a g s )x t a b l e s e r r o r (PARAMETERPROBLEM,”You must s p e c i f y \”−− l 7 s t a t e \”” ) ;
}
s t a t i c void l 7 s t a t e p r i n t s t a t e ( unsigned i n t statemask ){
const char ∗ sep = ”” ;
i f ( statemask & XT L7STATE BIT(IP CT L7NOINIT ) ) {p r i n t f (”%sL7NOINIT” , sep ) ;sep = ” , ” ;
}i f ( statemask & XT L7STATE BIT(IP CT L7UNKNOWN)) {
p r i n t f (”%sL7UNKNOWN” , sep ) ;sep = ” , ” ;
}i f ( statemask & XT L7STATE BIT(IP CT L7ACCEPT) ) {
p r i n t f (”%sL7ACCEPT” , sep ) ;sep = ” , ” ;
}i f ( statemask & XT L7STATE BIT(IP CT L7DROP) ) {
p r i n t f (”%sL7DROP” , sep ) ;sep = ” , ” ;
}i f ( statemask & XT L7STATE BIT(IP CT L7CONTINUE) ) {
p r i n t f (”%sL7CONTINUE” , sep ) ;sep = ” , ” ;
}p r i n t f (” ” ) ;
}
s t a t i c voidl 7 s t a t e p r i n t ( const void ∗ ip ,
const s t r u c t xt entry match ∗match ,i n t numeric )
{const s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o =( const void ∗)match−>data ;
p r i n t f (” l 7 s t a t e ” ) ;l 7 s t a t e p r i n t s t a t e ( s i n f o−>statemask ) ;
}
s t a t i c void l 7 s t a t e s a v e ( const void ∗ ip ,const s t r u c t xt entry match ∗match ){
156
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
const s t r u c t x t l 7 s t a t e i n f o ∗ s i n f o =( const void ∗)match−>data ;
p r i n t f (”−− l 7 s t a t e ” ) ;l 7 s t a t e p r i n t s t a t e ( s i n f o−>statemask ) ;
}
s t a t i c s t r u c t xtables match l7 s ta t e match = {. f ami ly = NFPROTOUNSPEC,. name = ” l 7 s t a t e ” ,. v e r s i on = XTABLES VERSION,. s i z e = XT ALIGN( s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ) ,. u s e r s p a c e s i z e = XT ALIGN( s i z e o f ( s t r u c t x t l 7 s t a t e i n f o ) ) ,. he lp = l 7 s t a t e h e l p ,. parse = l 7 s t a t e p a r s e ,. f i n a l c h e c k = l 7 s t a t e f i n a l c h e c k ,. p r i n t = l 7 s t a t e p r i n t ,. save = l 7 s t a t e s a v e ,. e x t r a op t s = l 7 s t a t e op t s ,
} ;
void i n i t ( void ){
x t ab l e s r e g i s t e r ma t ch (& l7 s ta t e match ) ;}
157
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.9. main.c
/∗∗ main . c∗ Copyright (C) 2010−2012 G. El ian Gidoni <geg@gnu . org>∗ 2012 Ed Wildgoose < l i s t s@w i l d g oo s e s . com>
∗∗ This f i l e i s part o f nDPI ,∗ an open source deep packet i n sp e c t i on∗ l i b r a r y based on the PACE technology by ipoque GmbH∗∗ This program i s f r e e so f tware ; you can r e d i s t r i b u t e i t and/ or∗ modify i t under the terms o f the GNU General Publ ic L i cense∗ as pub l i shed by the Free Software Foundation ; v e r s i on 2∗ o f the L icense .∗∗ This program i s d i s t r i b u t e d in the hope that i t w i l l be u se fu l ,∗ but WITHOUT ANY WARRANTY; without even the impl i ed warranty o f∗ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the∗ GNU General Publ ic L i cense f o r more d e t a i l s .∗∗ You should have r e c e i v ed a copy o f the GNU General Publ ic L i cense∗ along with t h i s program ; i f not , wr i t e to the Free Software∗ Foundation , Inc . , 51 Frankl in Street , F i f th Floor , Boston ,∗ MA 02110−1301 , USA.∗/
#inc lude <l i nux / ke rne l . h>#inc lude <l i nux / i n i t . h>#inc lude <l i nux /module . h>#inc lude <l i nux / ve r s i on . h>#inc lude <l i nux / n e t f i l t e r / x t ab l e s . h>#inc lude <l i nux / skbu f f . h>#inc lude <l i nux / ip . h>#inc lude <l i nux / tcp . h>#inc lude <l i nux /udp . h>#inc lude <l i nux / i f e t h e r . h>#inc lude <l i nux / rb t r e e . h>#inc lude <l i nux / k r e f . h>#inc lude <l i nux / time . h>
#inc lude <net / n e t f i l t e r / n f connt rack . h>#inc lude <net / n e t f i l t e r / n f connt rack ecache . h>
#inc lude ”ndpi main . h”#inc lude ” xt ndpi . h”
MODULE LICENSE(”GPL” ) ;MODULEAUTHOR(”G. El ian Gidoni <geg@gnu . org >”);
158
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
MODULE DESCRIPTION(”nDPI wrapper ” ) ;MODULE ALIAS(” i p t ndp i ” ) ;
#de f i n e L7MAX 5#de f i n e L7ACCEPT 2#de f i n e L7DROP 3#de f i n e L7CONTINUE 4
s t a t i c void s e t l 7 s t a t e ( s t r u c t nf conn ∗ ct , unsigned i n t s t a t e ){
unsigned i n t i ;
ct−>l 7 . l im i t op t i on = 0 ;// d e f au l t l im i t opt ion unsetct−>l 7 . ac topt i on = 0 ;// d e f au l t ac t i on opt ion unsetf o r ( i = 0 ; i < L7MAX; i++) {
ct−>l 7 . l 7 s t a t e [ i ] = 0 ;i f ( i == s t a t e )
ct−>l 7 . l 7 s t a t e [ i ] = 1 ;// s e t the s t a t e f o r packet d e c i s i o n
}}
s t a t i c bool c oun t e r l im i t ( s t r u c t nf conn ∗ ct ){
i f ( ct−>l 7 . l 7 s t a t e [ 2 ] == 1| | ct−>l 7 . l 7 s t a t e [ 3 ] == 1| | ct−>l 7 . l 7 s t a t e [ 4 ] == 1){
r e turn t rue ;// the re i s a l ay e r 7 ac t i on ac t i va t ed yetct−>l 7 . l im i t = 0 ;
}
i f ( ct−>l 7 . l im i t == 0 && ct−>l 7 . l im i t op t i on != 0){ct−>l 7 . l im i t++;re turn true ;
} e l s e i f ( ct−>l 7 . l im i t op t i on > ct−>l 7 . l im i t ) {ct−>l 7 . l im i t++;re turn true ;
} e l s e i f ( ct−>l 7 . l im i t op t i on == 0) {r e turn t rue ;
} e l s e {s e t l 7 s t a t e ( ct , L7DROP) ;ct−>l 7 . l im i t = 0 ;re turn f a l s e ;
}r e turn t rue ;
}
159
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
/∗ f l ow t rack ing ∗/s t r u c t o sdp i f l ow node {
s t r u c t rb node node ;s t r u c t nf conn ∗ ct ;/∗ r e s u l t only , not used f o r f low i d e n t i f i c a t i o n ∗/u32 de t e c t ed p r o t o c o l ;/∗ l a s t po in t e r a s s i gned at run time ∗/s t r u c t ndp i f l ow s t r u c t ∗ ndp i f l ow ;
} ;
/∗ id t r a ck ing ∗/s t r u c t o sdp i i d node {
s t r u c t rb node node ;s t r u c t k r e f r e f c n t ;union n f i n e t add r ip ;/∗ l a s t po in t e r a s s i gned at run time ∗/s t r u c t ndp i i d s t r u c t ∗ ndp i id ;
} ;
s t a t i c u32 s i z e i d s t r u c t = 0 ;s t a t i c u32 s i z e f l o w s t r u c t = 0 ;
s t a t i c s t r u c t rb roo t o s dp i f l ow r o o t = RBROOT;s t a t i c s t r u c t rb roo t o s dp i i d r o o t = RBROOT;
s t a t i c s t r u c t kmem cache ∗ o sdp i f l ow ca che r ead mos t l y ;s t a t i c s t r u c t kmem cache ∗ o sdp i i d c a ch e r ead mos t l y ;
s t a t i c NDPI PROTOCOL BITMASK protoco l s b i tmask ;s t a t i c atomic t p r o t o c o l s c n t [NDPI LAST IMPLEMENTED PROTOCOL ] ;
DEFINE SPINLOCK( f l ow l o c k ) ;DEFINE SPINLOCK( i d l o c k ) ;DEFINE SPINLOCK( i pq l o c k ) ;
/∗ de t e c t i on ∗/s t a t i c s t r u c t ndp i d e t e c t i on modu l e s t ru c t ∗ ndp i s t r u c t = NULL;s t a t i c u32 d e t e c t i o n t i c k r e s o l u t i o n = 1000 ;
/∗ debug func t i on s ∗/
160
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
s t a t i c void debug pr in t f ( u32 protoco l , void ∗ i d s t r u c t ,n d p i l o g l e v e l t l o g l e v e l ,const char ∗ format , . . . )
{/∗ do nothing ∗/
v a l i s t args ;v a s t a r t ( args , format ) ;switch ( l o g l e v e l ){
case NDPI LOG ERROR:vpr intk ( format , args ) ;break ;
case NDPI LOG TRACE:vpr intk ( format , args ) ;break ;
case NDPI LOG DEBUG:vpr intk ( format , args ) ;break ;
}va end ( args ) ;
}
s t a t i c void ∗malloc wrapper ( unsigned long s i z e ){
r e turn kmalloc ( s i z e , GFP KERNEL) ;}
s t a t i c void f r e e wrapper ( void ∗ f r e e a b l e ){
k f r e e ( f r e e a b l e ) ;}
s t a t i c s t r u c t o sdp i f l ow node ∗ndp i f l ow s ea r ch ( s t r u c t rb roo t ∗ root , s t r u c t nf conn ∗ ct ){
s t r u c t o sdp i f l ow node ∗data ;s t r u c t rb node ∗node = root−>rb node ;
whi l e ( node ) {data = rb ent ry ( node , s t r u c t osdp i f l ow node ,node ) ;
i f ( c t < data−>ct )node = node−>r b l e f t ;
e l s e i f ( c t > data−>ct )
161
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
node = node−>r b r i g h t ;e l s e
re turn data ;}
r e turn NULL;}
s t a t i c i n tn dp i f l ow i n s e r t ( s t r u c t rb roo t ∗ root ,s t r u c t o sdp i f l ow node ∗data ){
s t r u c t o sdp i f l ow node ∗ t h i s ;s t r u c t rb node ∗∗new =&(root−>rb node ) , ∗parent = NULL;
whi l e (∗new) {t h i s = rb ent ry (∗new ,s t r u c t osdp i f l ow node , node ) ;
parent = ∗new ;i f ( data−>ct < th i s−>ct )
new = &((∗new)−> r b l e f t ) ;e l s e i f ( data−>ct > th i s−>ct )
new = &((∗new)−> r b r i g h t ) ;e l s e
re turn 0 ;}rb l i nk node (&data−>node , parent , new ) ;r b i n s e r t c o l o r (&data−>node , root ) ;
r e turn 1 ;}
s t a t i c s t r u c t o sdp i i d node ∗ndp i i d s e a r ch ( s t r u c t rb roo t ∗ root , union n f i n e t add r ∗ ip ){
i n t r e s ;s t r u c t o sdp i i d node ∗data ;s t r u c t rb node ∗node = root−>rb node ;
whi l e ( node ) {data = rb ent ry ( node ,s t r u c t osdp i id node , node ) ;r e s = memcmp( ip , &data−>ip ,s i z e o f ( union n f i n e t add r ) ) ;
162
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
i f ( r e s < 0)node = node−>r b l e f t ;
e l s e i f ( r e s > 0)node = node−>r b r i g h t ;
e l s ere turn data ;
}
r e turn NULL;}
s t a t i c i n tn d p i i d i n s e r t ( s t r u c t rb roo t ∗ root , s t r u c t o sdp i i d node ∗data ){
i n t r e s ;s t r u c t o sdp i i d node ∗ t h i s ;s t r u c t rb node ∗∗new = &(root−>rb node ), ∗parent = NULL;
whi l e (∗new) {t h i s = rb ent ry (∗new ,s t r u c t osdp i id node , node ) ;r e s = memcmp(&data−>ip , &th i s−>ip ,s i z e o f ( union n f i n e t add r ) ) ;
parent = ∗new ;i f ( r e s < 0)
new = &((∗new)−> r b l e f t ) ;e l s e i f ( r e s > 0)
new = &((∗new)−> r b r i g h t ) ;e l s e
re turn 0 ;}rb l i nk node (&data−>node , parent , new ) ;r b i n s e r t c o l o r (&data−>node , root ) ;
r e turn 1 ;}
s t a t i c voidn d p i i d r e l e a s e ( s t r u c t k r e f ∗ k r e f ){
163
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
s t r u c t o sdp i i d node ∗ id ;
id = con t a i n e r o f ( kre f , s t r u c t osdp i id node ,r e f c n t ) ;r b e r a s e (&id−>node , &o s dp i i d r o o t ) ;kmem cache free ( o sdp i i d cache , id ) ;
}
s t a t i c s t r u c t o sdp i f l ow node ∗ndp i a l l o c f l ow ( s t r u c t nf conn ∗ ct ){
s t r u c t o sdp i f l ow node ∗ f l ow ;
sp i n l o ck bh (& f l ow l o c k ) ;f low = ndp i f l ow s ea r ch (&osdp i f l ow roo t , c t ) ;i f ( f low != NULL){
sp in un lock bh (& f l ow l o c k ) ;r e turn f low ;
}f l ow = kmem cache zal loc ( o sdp i f l ow cache ,GFP ATOMIC) ;i f ( f low == NULL){
p r e r r (” xt ndpi : couldn ’ t a l l o c a t e new f low .\n ” ) ;sp in un lock bh (& f l ow l o c k ) ;r e turn NULL;
}f low−>ct = ct ;f low−>ndp i f l ow = ( s t r u c t ndp i f l ow s t r u c t ∗)
( ( char∗)& flow−>ndp i f l ow+s i z e o f ( f low−>ndp i f l ow ) ) ;n dp i f l ow i n s e r t (&o sdp i f l ow roo t , f low ) ;sp in un lock bh (& f l ow l o c k ) ;
r e turn f low ;}
s t a t i c voidndp i f r e e f l ow ( s t r u c t nf conn ∗ ct ){
s t r u c t o sdp i f l ow node ∗ f l ow ;
sp i n l o ck bh (& f l ow l o c k ) ;f low = ndp i f l ow s ea r ch (&osdp i f l ow roo t , c t ) ;i f ( f low != NULL){
r b e r a s e (&flow−>node , &o sdp i f l ow r o o t ) ;kmem cache free ( o sdp i f l ow cache , f low ) ;
}sp in un lock bh (& f l ow l o c k ) ;
164
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
}
s t a t i c s t r u c t o sdp i i d node ∗ndp i a l l o c i d ( union n f i n e t add r ∗ ip ){
s t r u c t o sdp i i d node ∗ id ;
s p i n l o ck bh (& i d l o c k ) ;id = ndp i i d s e a r ch (&o sdp i i d r o o t , ip ) ;i f ( id != NULL){
k r e f g e t (&id−>r e f c n t ) ;} e l s e {
id = kmem cache zal loc ( o sdp i i d cache ,GFP ATOMIC) ;
i f ( id == NULL){p r e r r (” xt ndpi : couldn ’ t a l l o c a t enew id .\n ” ) ;sp in un lock bh (& i d l o c k ) ;r e turn NULL;
}memcpy(&id−>ip , ip , s i z e o f ( union n f i n e t add r ) ) ;id−>ndp i id = ( s t r u c t ndp i i d s t r u c t ∗)
( ( char∗)&id−>ndp i id+s i z e o f ( id−>ndp i id ) ) ;k r e f i n i t (&id−>r e f c n t ) ;n d p i i d i n s e r t (&o sdp i i d r o o t , id ) ;
}sp in un lock bh (& i d l o c k ) ;
r e turn id ;}
s t a t i c voidn dp i f r e e i d ( union n f i n e t add r ∗ ip ){
s t r u c t o sdp i i d node ∗ id ;
s p i n l o ck bh (& i d l o c k ) ;id = ndp i i d s e a r ch (&o sdp i i d r o o t , ip ) ;i f ( id != NULL)
k r e f pu t (&id−>r e f cn t , n d p i i d r e l e a s e ) ;sp in un lock bh (& i d l o c k ) ;
}
s t a t i c voidndp i enab l e p r o t o c o l s ( const s t r u c t x t ndp i mt in fo ∗ i n f o )
165
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
{i n t i ;
f o r ( i = 1 ; i <= NDPI LAST IMPLEMENTED PROTOCOL; i++){i f (NDPI COMPARE PROTOCOL TO BITMASK( in fo−>f l a g s , i ) != 0){
sp i n l o ck bh (& ipq l o c k ) ;a tomic inc (&p r o t o c o l s c n t [ i −1 ] ) ;NDPI ADD PROTOCOL TO BITMASK( protoco l s b i tmask , i ) ;ndp i s e t p r o t o c o l d e t e c t i o n b i tma sk2
( ndp i s t ruc t ,& pro toco l s b i tmask ) ;sp in un lock bh (& ipq l o c k ) ;
}}
}
s t a t i c voidndp i d i s a b l e p r o t o c o l s ( const s t r u c t x t ndp i mt in fo ∗ i n f o ){
i n t i ;
f o r ( i = 1 ; i <= NDPI LAST IMPLEMENTED PROTOCOL; i++){i f (NDPI COMPARE PROTOCOL TO BITMASK( in fo−>f l a g s , i ) != 0){
sp i n l o ck bh (& ipq l o c k ) ;i f ( a tomi c dec and te s t(&p r o t o c o l s c n t [ i −1])){
NDPI DEL PROTOCOL FROM BITMASK( protoco l s b i tmask , i ) ;ndp i s e t p r o t o c o l d e t e c t i o n b i tma sk2
( ndp i s t ruc t ,&pro toco l s b i tmask ) ;
}sp in un lock bh (& ipq l o c k ) ;
}}
}
#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )
166
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
s t a t i c i n tndp i connt rack event ( s t r u c t n o t i f i e r b l o c k ∗ th i s , unsigned long ev ,
void ∗ data ){
s t r u c t nf conn ∗ ct = ( s t r u c t nf conn ∗) data ;union n f i n e t add r ∗ src , ∗dst ;
i f ( c t == &nf connt rack unt racked )re turn NOTIFY DONE;
i f ( ev & IPCT DESTROY){s r c = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . s r c . u3 ;dst = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . dst . u3 ;
n d p i f r e e i d ( s r c ) ;n d p i f r e e i d ( dst ) ;n dp i f r e e f l ow ( ct ) ;
}
r e turn NOTIFY DONE;}
s t a t i c s t r u c t n o t i f i e r b l o c ko s d p i n o t i f i e r = {
. n o t i f i e r c a l l = ndpi conntrack event ,} ;
#e l s es t a t i c i n tndp i connt rack event ( unsigned i n t events , s t r u c t n f c t e v e n t ∗ item ){
s t r u c t nf conn ∗ ct = item−>ct ;union n f i n e t add r ∗ src , ∗dst ;
i f ( c t == &nf connt rack unt racked )re turn 0 ;
i f ( events & (1 << IPCT DESTROY)){s r c = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . s r c . u3 ;dst = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . dst . u3 ;
n d p i f r e e i d ( s r c ) ;n d p i f r e e i d ( dst ) ;n dp i f r e e f l ow ( ct ) ;
}
r e turn 0 ;}
167
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
s t a t i c s t r u c t n f c t e v e n t n o t i f i e ro s d p i n o t i f i e r = {
. f cn = ndpi conntrack event ,} ;
#end i f
s t a t i c u32ndp i p ro c e s s packe t ( s t r u c t nf conn ∗ ct , const u i n t 64 t time ,
const s t r u c t iphdr ∗ iph , u i n t 16 t i p s i z e ){
u32 proto = NDPIPROTOCOLUNKNOWN;union n f i n e t add r ∗ i p s r c , ∗ i pd s t ;s t r u c t o sdp i i d node ∗ src , ∗dst ;s t r u c t o sdp i f l ow node ∗ f l ow ;
sp i n l o ck bh (& f l ow l o c k ) ;f low = ndp i f l ow s ea r ch (&osdp i f l ow roo t , c t ) ;sp in un lock bh (& f l ow l o c k ) ;i f ( f low == NULL){
f l ow = ndp i a l l o c f l ow ( ct ) ;i f ( f low == NULL)
return proto ;}
i p s r c = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . s r c . u3 ;
s p i n l o ck bh (& i d l o c k ) ;s r c = ndp i i d s e a r ch (&o sdp i i d r o o t , i p s r c ) ;sp in un lock bh (& i d l o c k ) ;i f ( s r c == NULL) {
s r c = ndp i a l l o c i d ( i p s r c ) ;i f ( s r c == NULL)
return proto ;}
i pd s t = &ct−>tup lehash [ IP CT DIR ORIGINAL ] . tup l e . dst . u3 ;
s p i n l o ck bh (& i d l o c k ) ;dst = ndp i i d s e a r ch (&o sdp i i d r o o t , i pd s t ) ;sp in un lock bh (& i d l o c k ) ;i f ( dst == NULL) {
dst = ndp i a l l o c i d ( i pd s t ) ;i f ( dst == NULL)
return proto ;}
168
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
/∗ here the ac tua l d e t e c t i on i s performed ∗/sp i n l o ck bh (& ipq l o c k ) ;proto = ndp i d e t e c t i o n p r o c e s s pa ck e t ( ndp i s t ruc t ,f low−>ndpi f low , ( u i n t 8 t ∗) iph , i p s i z e ,time , src−>ndpi id , dst−>ndp i id ) ;f low−>de t e c t ed p r o t o c o l = proto ;sp in un lock bh (& ipq l o c k ) ;
r e turn proto ;}
#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )s t a t i c boolndpi mt ( const s t r u c t s k bu f f ∗skb ,
const s t r u c t n e t d ev i c e ∗ in ,const s t r u c t n e t d ev i c e ∗out ,const s t r u c t xt match ∗match ,const void ∗matchinfo ,i n t o f f s e t ,unsigned i n t p ro t o f f ,bool ∗hotdrop )
#e l i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 35 )s t a t i c boolndpi mt ( const s t r u c t s k bu f f ∗skb , const s t r u c t xt match param ∗par )#e l s es t a t i c boolndpi mt ( const s t r u c t s k bu f f ∗skb , s t r u c t xt act ion param ∗par )#end i f{
u32 proto ;u64 time ;
#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )const s t r u c t x t ndp i mt in fo ∗ i n f o = matchinfo ;
#e l s econst s t r u c t x t ndp i mt in fo ∗ i n f o = par−>matchinfo ;
#end i f
enum ip c onn t r a c k i n f o c t i n f o ;s t r u c t nf conn ∗ ct ;s t r u c t t imeval tv ;s t r u c t s k bu f f ∗ l i n e a r i z e d s k b = NULL;const s t r u c t s k bu f f ∗ skb use = NULL;
i f ( s k b i s n o n l i n e a r ( skb ) ){l i n e a r i z e d s k b = skb copy ( skb , GFP ATOMIC) ;
169
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
i f ( l i n e a r i z e d s k b == NULL) {p r i n f o (” xt ndpi : l i n e a r i z a t i o n f a i l e d .\n ” ) ;r e turn f a l s e ;
}skb use = l i n e a r i z e d s k b ;
} e l s e {skb use = skb ;
}
ct = n f c t g e t ( skb use , &c t i n f o ) ;i f ( c t == NULL){
i f ( l i n e a r i z e d s k b != NULL){k f r e e s kb ( l i n e a r i z e d s k b ) ;
}
r e turn f a l s e ;#i f LINUX VERSION CODE < KERNEL VERSION(3 , 0 , 0 )
} e l s e i f ( n f c t i s u n t r a c k e d ( skb ) ){#e l s e
} e l s e i f ( n f c t i s u n t r a c k e d ( ct ) ){#end i f
p r i n f o (” xt ndpi : i gno r i ng untracked s k bu f f .\n ” ) ;r e turn f a l s e ;
}do gett imeofday(&tv ) ;
time = ( ( u i n t 64 t ) tv . t v s e c ) ∗ d e t e c t i o n t i c k r e s o l u t i o n +tv . tv u s e c / (1000000 / d e t e c t i o n t i c k r e s o l u t i o n ) ;
// f i r s t time we load ndpi module , we change l ay e r 7 s t a t e and e x i ti f ( ct−>l 7 . l 7 s t a t e [ 0 ] == 1){
ct−>l 7 . l 7 s t a t e [ 0 ] = 0 ; // L7NOINIT f a l s ect−>l 7 . l 7 s t a t e [ 1 ] = 1 ; // L7UNKNOWN truere turn true ;
} e l s e {
i f ( c oun t e r l im i t ( c t ) == true ) {
/∗ proce s s the packet ∗/proto = ndp i p roc e s s packe t ( ct , time ,ip hdr ( skb use ) , skb use−>l en ) ;
i f ( l i n e a r i z e d s k b != NULL){k f r e e s kb ( l i n e a r i z e d s k b ) ;
}
i f (NDPI COMPARE PROTOCOL TO BITMASK( in fo−>f l a g s , proto ) != 0){ // match
170
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
// a po l i c y ac t i on has been r equ i r ed// f o r a l ay e r 7 packetswitch ( ct−>l 7 . ac topt i on ) {
case 1 : // L7ACCEPTi f ( ct−>l 7 . a c t i o n f l a g != 0)
s e t l 7 s t a t e ( ct , L7ACCEPT) ;// s e t ac t i on
break ;case 2 : // L7DROP
i f ( ct−>l 7 . a c t i o n f l a g != 0)s e t l 7 s t a t e ( ct , L7DROP) ;// s e t ac t i on
break ;case 3 : // L7CONTINUE
i f ( ct−>l 7 . a c t i o n f l a g != 0)s e t l 7 s t a t e ( ct , L7CONTINUE) ;// s e t ac t i on
break ;d e f au l t :// no ac t i on r equ i r ed yet// or ac t i on i s s e t
break ;}
r e turn t rue ;} e l s e// no match , keep L7 UNKNOWN l 7 s t a t e
re turn true ;} e l s e
re turn f a l s e ; // window lenght exp i red}
r e turn f a l s e ;}
#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )s t a t i c boolndpi mt check ( const char ∗ tablename ,
const void ∗ ip ,const s t r u c t xt match ∗match ,void ∗matchinfo ,unsigned i n t hook mask )
{
const s t r u c t x t ndp i mt in fo ∗ i n f o = matchinfo ;
171
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
i f (NDPI BITMASK IS ZERO( in fo−>f l a g s ) ){p r i n f o (”None s e l e c t e d p ro to co l .\n ” ) ;r e turn f a l s e ;
}
ndp i enab l e p r o t o c o l s ( i n f o ) ;
r e turn n f c t l 3 p r o t o t r y modu l e g e t (match−>f ami ly ) == 0 ;}
#e l i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 35 )s t a t i c boolndpi mt check ( const s t r u c t xt mtchk param ∗par ){
const s t r u c t x t ndp i mt in fo ∗ i n f o = par−>matchinfo ;
i f (NDPI BITMASK IS ZERO( in fo−>f l a g s ) ){p r i n f o (”None s e l e c t e d p ro to co l .\n ” ) ;r e turn f a l s e ;
}
ndp i enab l e p r o t o c o l s ( i n f o ) ;
r e turn n f c t l 3 p r o t o t r y modu l e g e t ( par−>f ami ly ) == 0 ;}#e l s es t a t i c i n tndpi mt check ( const s t r u c t xt mtchk param ∗par ){
const s t r u c t x t ndp i mt in fo ∗ i n f o = par−>matchinfo ;
i f (NDPI BITMASK IS ZERO( in fo−>f l a g s ) ){p r i n f o (”None s e l e c t e d p ro to co l .\n ” ) ;r e turn −EINVAL;
}
ndp i enab l e p r o t o c o l s ( i n f o ) ;
r e turn n f c t l 3 p r o t o t r y modu l e g e t ( par−>f ami ly ) ;}#end i f
#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )
172
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
s t a t i c voidndpi mt dest roy ( const s t r u c t xt match ∗match , void ∗matchinfo ){
const s t r u c t x t ndp i mt in fo ∗ i n f o = matchinfo ;
n dp i d i s a b l e p r o t o c o l s ( i n f o ) ;n f c t l 3p ro t o modu l e pu t (match−>f ami ly ) ;
}
#e l s es t a t i c voidndpi mt dest roy ( const s t r u c t xt mtdtor param ∗par ){
const s t r u c t x t ndp i mt in fo ∗ i n f o = par−>matchinfo ;
n dp i d i s a b l e p r o t o c o l s ( i n f o ) ;n f c t l 3p ro t o modu l e pu t ( par−>f ami ly ) ;
}
#end i f
s t a t i c void ndpi c l eanup ( void ){
s t r u c t rb node ∗ next ;s t r u c t o sdp i i d node ∗ id ;s t r u c t o sdp i f l ow node ∗ f l ow ;
ndp i ex i t d e t e c t i on modu l e ( ndp i s t ruc t , f r e e wrapper ) ;
#i f LINUX VERSION CODE < KERNEL VERSION(3 , 2 , 0 )n f c o n n t r a c k u n r e g i s t e r n o t i f i e r (& o s d p i n o t i f i e r ) ;
#e l s en f c o n n t r a c k u n r e g i s t e r n o t i f i e r (& i n i t n e t ,& o s d p i n o t i f i e r ) ;
#end i f
/∗ f r e e a l l o b j e c t s be f o r e de s t roy ing caches ∗/next = r b f i r s t (& o sdp i f l ow r o o t ) ;whi l e ( next ){
f l ow = rb ent ry ( next , s t r u c t osdp i f l ow node , node ) ;next = rb next (&flow−>node ) ;r b e r a s e (&flow−>node , &o sdp i f l ow r o o t ) ;kmem cache free ( o sdp i f l ow cache , f low ) ;
}kmem cache destroy ( o sdp i f l ow ca che ) ;
next = r b f i r s t (& o s dp i i d r o o t ) ;whi l e ( next ){
173
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
id = rb ent ry ( next , s t r u c t osdp i id node , node ) ;next = rb next (&id−>node ) ;r b e r a s e (&id−>node , &o s dp i i d r o o t ) ;kmem cache free ( o sdp i i d cache , id ) ;
}kmem cache destroy ( o sdp i i d c a ch e ) ;
}
s t a t i c s t r u c t xt matchndpi mt reg r ead mos t l y = {
. name = ”ndpi ” ,
. r e v i s i o n = 0 ,#i f LINUX VERSION CODE < KERNEL VERSION(2 ,6 , 28 )
. f ami ly = AF INET ,#e l s e
. f ami ly = NFPROTO IPV4,#end i f
. match = ndpi mt ,
. checkentry = ndpi mt check ,
. des t roy = ndpi mt destroy ,
. matchs ize = s i z e o f ( s t r u c t x t ndp i mt in fo ) ,
.me = THIS MODULE,} ;
s t a t i c i n t i n i t ndp i mt in i t ( void ){
i n t ret , i ;
p r i n f o (” xt ndpi 0 . 1 (nDPI wrapper module ) . \ n ” ) ;/∗ i n i t g l oba l d e t e c t i on s t r u c tu r e ∗/ndp i s t r u c t = ndp i i n i t d e t e c t i on modu l e (d e t e c t i o n t i c k r e s o l u t i o n , malloc wrapper , f r ee wrapper ,( void ∗) debug pr in t f ) ;
i f ( ndp i s t r u c t == NULL) {p r e r r (” xt ndpi : g l oba l s t r u c tu r ei n i t i a l i z a t i o n f a i l e d .\n ” ) ;r e t = −ENOMEM;goto e r r ou t ;
}
f o r ( i = 0 ; i < NDPI LAST IMPLEMENTED PROTOCOL; i++){atomic s e t (&p r o t o c o l s c n t [ i ] , 0 ) ;
}
/∗ d i s ab l e a l l p r o t o c o l s ∗/NDPI BITMASK RESET( pro toco l s b i tmask ) ;
174
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
ndp i s e t p r o t o c o l d e t e c t i o n b i tma sk2 ( ndp i s t ruc t ,&pro toco l s b i tmask ) ;
/∗ a l l o c a t e memory f o r id and f low t rack ing ∗/s i z e i d s t r u c t = ndp i d e t e c t i o n g e t s i z e o f n d p i i d s t r u c t ( ) ;s i z e f l o w s t r u c t = ndp i d e t e c t i o n g e t s i z e o f n d p i f l ow s t r u c t ( ) ;
o sdp i f l ow ca che = kmem cache create (” x t ndp i f l ow s ” ,s i z e o f ( s t r u c t o sdp i f l ow node ) +s i z e f l ow s t r u c t ,0 , 0 , NULL) ;
i f ( ! o sdp i f l ow ca che ){p r e r r (” xt ndpi : e r r o r c r e a t i n g f low cache .\n ” ) ;r e t = −ENOMEM;goto e r r i p q ;
}
o sdp i i d c a ch e = kmem cache create (” x t ndp i i d s ” ,s i z e o f ( s t r u c t o sdp i i d node ) +s i z e i d s t r u c t ,0 , 0 , NULL) ;
i f ( ! o s dp i i d c a ch e ){p r e r r (” xt ndpi : e r r o r c r e a t i n g i d s cache .\n ” ) ;r e t = −ENOMEM;goto e r r f l ow ;
}
#i f LINUX VERSION CODE < KERNEL VERSION(3 , 2 , 0 )r e t = n f c o n n t r a c k r e g i s t e r n o t i f i e r (& o s d p i n o t i f i e r ) ;
#e l s er e t = n f c o n n t r a c k r e g i s t e r n o t i f i e r (& i n i t n e t ,& o s d p i n o t i f i e r ) ;
#end i fi f ( r e t < 0){
p r e r r (” xt ndpi : e r r o r r e g i s t e r i n g n o t i f i e r .\n ” ) ;goto e r r i d ;
}
r e t = x t r e g i s t e r ma t ch (&ndpi mt reg ) ;i f ( r e t != 0){
p r e r r (” xt ndpi : e r r o r r e g i s t e r i n g ndpi match .\n ” ) ;ndpi c l eanup ( ) ;
}
r e turn r e t ;
e r r i d :kmem cache destroy ( o sdp i i d c a ch e ) ;
e r r f l ow :kmem cache destroy ( o sdp i f l ow ca che ) ;
175
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
e r r i p q :ndp i ex i t d e t e c t i on modu l e ( ndp i s t ruc t , f r e e wrapper ) ;
e r r ou t :r e turn r e t ;
}
s t a t i c void e x i t ndp i mt ex i t ( void ){
p r i n f o (” xt ndpi 1 . 2 unload .\n ” ) ;
x t unreg i s t e r match (&ndpi mt reg ) ;
ndpi c l eanup ( ) ;}
modu l e in i t ( ndp i mt in i t ) ;module ex i t ( ndp i mt ex i t ) ;
176
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.10. xt ndpicontrol.c
#inc lude <l i nux /module . h>#inc lude <l i nux / skbu f f . h>#inc lude <net / n e t f i l t e r / n f connt rack . h>#inc lude <l i nux / n e t f i l t e r / x t ab l e s . h>#inc lude <l i nux / n e t f i l t e r / x t ndp i c on t r o l . h>
MODULE LICENSE(”GPL” ) ;MODULEAUTHOR(” Se rg i o Mi l lan Rodriguez<sermi lrod@gmai l . com>”);
MODULE DESCRIPTION(” ip [ 6 ] t a b l e s a u x i l i a r ymodule f o r redBorder ndpi ” ) ;MODULE ALIAS(” i p t ndp i c on t r o l ” ) ;MODULE ALIAS(” i p 6 t ndp i c on t r o l ” ) ;
s t a t i c boolndpicontro l mt ( const s t r u c t s k bu f f ∗skb ,const s t r u c t xt match param ∗par ){
const s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o = par−>matchinfo ;enum ip c onn t r a c k i n f o c t i n f o ;s t r u c t nf conn ∗ ct ;bool ret1 , r e t 2 ;
r e t 1 = f a l s e ;r e t 2 = f a l s e ;c t = n f c t g e t ( skb , &c t i n f o ) ;i f ( c t != NULL) {
i f ( in fo−>ac t i on == 1) {// L7ACCEPTct−>l 7 . ac topt i on = in fo−>ac t i on ;ct−>l 7 . a c t i o n f l a g = 1 ;r e t1 = true ;
}e l s e i f ( in fo−>ac t i on == 2) {// L7DROP
ct−>l 7 . ac topt i on = in fo−>ac t i on ;ct−>l 7 . a c t i o n f l a g = 1 ;r e t1 = true ;
}e l s e i f ( in fo−>ac t i on == 3) {// L7CONTINUE
ct−>l 7 . ac topt i on = in fo−>ac t i on ;ct−>l 7 . a c t i o n f l a g = 1 ;r e t1 = true ;
}
177
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
i f ( in fo−>l im i t == 3) {ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;
}e l s e i f ( in fo−>l im i t == 4) {
ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;
}e l s e i f ( in fo−>l im i t == 5) {
ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;
}e l s e i f ( in fo−>l im i t == 6) {
ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;
}e l s e i f ( in fo−>l im i t == 7) {
ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;
}e l s e i f ( in fo−>l im i t == 8) {
ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;
}e l s e i f ( in fo−>l im i t == 9) {
ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;
}e l s e i f ( in fo−>l im i t == 10) {
ct−>l 7 . l im i t op t i on = in fo−>l im i t ;ct−>l 7 . l i m i t f l a g = 1 ;r e t2 = true ;
}} e l s e
r e t 1 = f a l s e ;
r e turn ( r e t1 ∗ r e t 2 ) ;}
178
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
s t a t i c bool ndp icont ro l mt check ( const s t r u c t xt mtchk param ∗par ){
i f ( n f c t l 3 p r o t o t r y modu l e g e t ( par−>match−>f ami ly ) < 0) {pr in tk (KERNWARNING ”can ’ t load conntrack support f o r ”
” proto=%u\n” , par−>match−>f ami ly ) ;r e turn f a l s e ;
}r e turn t rue ;
}
s t a t i c void ndp i cont ro l mt de s t roy ( const s t r u c t xt mtdtor param ∗par ){
n f c t l 3p ro t o modu l e pu t ( par−>match−>f ami ly ) ;}
s t a t i c s t r u c t xt match ndp i cont ro l mt r eg [ ] r e ad mos t l y = {{
. name = ” ndp i cont ro l ” ,
. f ami ly = NFPROTO IPV4,
. checkentry = ndpicontro l mt check ,
. match = ndpicontro l mt ,
. des t roy = ndp icont ro l mt des t roy ,
. matchs ize = s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ,
.me = THIS MODULE,} ,{
. name = ” ndp i cont ro l ” ,
. f ami ly = NFPROTO IPV6,
. checkentry = ndpicontro l mt check ,
. match = ndpicontro l mt ,
. des t roy = ndp icont ro l mt des t roy ,
. matchs ize = s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ,
.me = THIS MODULE,} ,
} ;s t a t i c i n t i n i t ndp i c on t r o l mt i n i t ( void ){
r e turn x t r e g i s t e r ma t ch e s ( ndp icont ro l mt reg ,ARRAY SIZE( ndp i cont ro l mt r eg ) ) ;
}s t a t i c void e x i t ndp i c on t r o l mt ex i t ( void ){
x t un r eg i s t e r mat che s ( ndp icont ro l mt reg ,ARRAY SIZE( ndp i cont ro l mt r eg ) ) ;
}modu l e in i t ( ndp i c on t r o l mt i n i t ) ;module ex i t ( ndp i c on t r o l mt ex i t ) ;
179
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.11. libxt ndpicontrol.c
/∗ aux i l i a r y he lpe r f o r redBorder ndpi ∗/#inc lude <s t d i o . h>#inc lude <netdb . h>#inc lude <s t r i n g . h>#inc lude <s t d l i b . h>#inc lude <getopt . h>#inc lude <x tab l e s . h>#inc lude <l i nux / n e t f i l t e r / x t ndp i c on t r o l . h>
s t a t i c voidndp i c on t r o l h e l p ( void ){
p r i n t f (” This module a l l ows you to extend ndpif u c t i o n s by s e t t i n g the l ay e r 7”
” s t a t e to packet p r o c c e s s i ng and e s t a b l i s h i n gthe acceptance window c r e d i t .\n”” ndp i cont ro l match opt ions :\n”” [ ! ] −−ac t i on [L7ACCEPT |L7DROP |L7CONTINUE\n”” [ ! ] −− l im i t [ 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 0 ] \ n ” ) ;
}
s t a t i c const s t r u c t opt ion ndp i c on t r o l op t s [ ] = {{ . name = ” ac t i on ” , . has arg = true , . va l = ’1 ’ } ,{ . name = ” l im i t ” , . has arg = true , . va l = ’2 ’ }
} ;
s t a t i c i n tndp i c on t r o l p a r s e a c t i o n ( const char ∗ option ,s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o ){
i f ( strcmp ( option , ”L7ACCEPT”) == 0)in fo−>ac t i on = 1 ;
e l s e i f ( strcmp ( option , ”L7DROP”) == 0)in fo−>ac t i on = 2 ;
e l s e i f ( strcmp ( option , ”L7CONTINUE”) == 0)in fo−>ac t i on = 3 ;
e l s ere turn 0 ;
r e turn 1 ;}
180
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
s t a t i c i n tn dp i c o n t r o l p a r s e l im i t ( const char ∗ option ,s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o ){
i f ( strcmp ( option , ”3”) == 0)in fo−>l im i t = 3 ;
e l s e i f ( strcmp ( option , ”4”) == 0)in fo−>l im i t = 4 ;
e l s e i f ( strcmp ( option , ”5”) == 0)in fo−>l im i t = 5 ;
e l s e i f ( strcmp ( option , ”6”) == 0)in fo−>l im i t = 6 ;
e l s e i f ( strcmp ( option , ”7”) == 0)in fo−>l im i t = 7 ;
e l s e i f ( strcmp ( option , ”8”) == 0)in fo−>l im i t = 8 ;
e l s e i f ( strcmp ( option , ”9”) == 0)in fo−>l im i t = 9 ;
e l s e i f ( strcmp ( option , ”10”) == 0)in fo−>l im i t = 10 ;
e l s ere turn 0 ;
r e turn 1 ;}
s t a t i c i n tndp i c on t r o l pa r s e ( i n t c , char ∗∗argv , i n t inver t ,
unsigned i n t ∗ f l a g s ,const void ∗ entry ,s t r u c t xt entry match ∗∗match )
{s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o =( void ∗ ) (∗match)−>data ;
switch ( c ) {case ’ 1 ’ :
∗ f l a g s = 1 ;i f ( ndp i c on t r o l p a r s e a c t i o n ( optarg , i n f o ) == 0)
x t a b l e s e r r o r (PARAMETERPROBLEM,”Bad opt ion provided . ””You must s p e c i f y−−ac t i on [L7ACCEPT |L7DROP |L7CONTINUE]\n ” ) ;
break ;case ’ 2 ’ :
∗ f l a g s = 1 ;i f ( n dp i c o n t r o l p a r s e l im i t ( optarg , i n f o ) == 0)
181
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
x t a b l e s e r r o r (PARAMETERPROBLEM,”Bad opt ion provided . ””You must s p e c i f y−− l im i t [ 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 0 ] \ n ” ) ;
break ;d e f au l t :
r e turn 0 ;}
r e turn 1 ;}
s t a t i c void ndp i c o n t r o l f i n a l c h e c k ( unsigned i n t f l a g s ){
i f ( ! f l a g s )x t a b l e s e r r o r (PARAMETERPROBLEM,”You must s p e c i f y :−−ac t i on [L7ACCEPT |L7DROP |L7CONTINUE]−− l im i t [ 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 0 ] \ n ” ) ;
}
s t a t i c voidndp i c on t r o l p r i n t ( const void ∗ ip ,
const s t r u c t xt entry match ∗match ,i n t numeric )
{const s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o =( const void ∗)match−>data ;
i f ( in fo−>ac t i on == 1)p r i n t f (” ndp i cont ro l :−−ac t i on L7ACCEPT−− l im i t %d” , in fo−>l im i t ) ;
e l s e i f ( in fo−>ac t i on == 2)p r i n t f (” ndp i cont ro l :−−ac t i on L7DROP−− l im i t %d” , in fo−>l im i t ) ;
e l s e i f ( in fo−>ac t i on == 3)p r i n t f (” ndp i cont ro l :−−ac t i on L7CONTINUE−− l im i t %d” , in fo−>l im i t ) ;
e l s ex t a b l e s e r r o r (PARAMETERPROBLEM,”An e r r o r occurred when par s ing arguments\n ” ) ;
}
182
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
s t a t i c void ndp i c on t r o l s av e ( const void ∗ ip ,const s t r u c t xt entry match ∗match ){
const s t r u c t x t ndp i c o n t r o l i n f o ∗ i n f o =( const void ∗)match−>data ;
}
s t a t i c s t r u c t xtables match ndpicontro l match = {. f ami ly = NFPROTOUNSPEC,. name = ” ndp i cont ro l ” ,. v e r s i on = XTABLES VERSION,. s i z e =XT ALIGN( s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ) ,. u s e r s p a c e s i z e =XT ALIGN( s i z e o f ( s t r u c t x t ndp i c o n t r o l i n f o ) ) ,. he lp = ndp i cont ro l he lp ,. parse = ndp i cont ro l pa r s e ,. f i n a l c h e c k = ndp i c on t r o l f i n a l c h e c k ,. p r i n t = ndp i c on t r o l p r i n t ,. save = ndp i cont ro l s ave ,. e x t r a op t s = ndp i cont ro l op t s ,
} ;
void i n i t ( void ){
x t ab l e s r e g i s t e r ma t ch (&ndpicontro l match ) ;}
183
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.12. copy new libxt.sh
#!/bin /bash
echo ”Compiling l i b r a r i e s . . . ”makeecho ”Copying the shared l i b r a r y l i b x t l 7 s t a t e . so . . . ”cp −R ext en s i on s / l i b x t l 7 s t a t e . so / l i b / xtab le s −1.4.7/echo ”Copying the shared l i b r a r y l i b x t ndp i c o n t r o l . so . . . ”cp −R ext en s i on s / l i b x t ndp i c o n t r o l . so / l i b / xtab le s −1.4.7/depmodecho ”Checking module x t l 7 s t a t e . . . ”modprobe x t l 7 s t a t eecho ”Checking module x t ndp i c on t r o l . . . ”modprobe x t ndp i c on t r o lecho ”Done ! ”
12.13. insert iptables files.sh
#!/bin /bash
cp −R l i b x t ndp i c o n t r o l . c / usr / s r c / i p t ab l e s −1.4.7/ ex t en s i on s /cp −R l i b x t l 7 s t a t e . c / usr / s r c / i p t ab l e s −1.4.7/ ex t en s i on s /
cp −R x t l 7 s t a t e . h / usr / s r c / i p t ab l e s −1.4.7/ in c lude / l i nux / n e t f i l t e r /cp −R xt ndp i c on t r o l . h / usr / s r c / i p t ab l e s −1.4.7/ in c lude / l i nux / n e t f i l t e rcp −R nf conntrack common . h / usr / s r c / i p t ab l e s −1.4.7/in c lude / l i nux / n e t f i l t e r
cp −R copy new l ibxt . sh / usr / s r c / i p t ab l e s −1.4.7/
184
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.14. insert kernel files.sh
#!/bin /bash
KERNEL VERSION=$ (uname −r )
cp −R xt ndp i c on t r o l . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R x t l 7 s t a t e . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R nf conn t r a ck p ro t o t cp . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R nf connt rack proto udp . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /cp −R n f c onn t r a c k p r o t o udp l i t e . c / usr / s r c / l inux−${KERNEL VERSION}/net / n e t f i l t e r /
cp −R nf connt rack . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude/net / n e t f i l t e r /cp −R nf conntrack common . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude / l i nux / n e t f i l t e r /cp −R x t l 7 s t a t e . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude/ l i nux / n e t f i l t e r /cp −R xt ndp i c on t r o l . h / usr / s r c / l inux−${KERNEL VERSION}/ inc lude / l i nux / n e t f i l t e r /
cp −R Kconfig / usr / s r c / l inux−${KERNEL VERSION}/ net / n e t f i l t e r /cp −R Makef i l e / usr / s r c / l inux−${KERNEL VERSION}/ net / n e t f i l t e r /
cp −R copy new modules . sh / usr / s r c / l inux−${KERNEL VERSION}/
cd / usr / s r c / l inux−${KERNEL VERSION}chmod u+x copy new modules . sh. / copy new modules . shcd / root / p r o j e c t / redBorder−ndpi
185
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.15. install-redBorder-Stronghold.sh
#!/bin /bash
######## Fi r s t o f a l l make sure to update theke rne l to the l a t e s t v e r s i on
KERNEL VERSION=$ (uname −r | sed ” s / . i 686 //”)
######## Prepare and compi le k e rne l s ou r c e s and i n s e r tredBorder−ndpi f i l e s ########
# Gathering l i b r a r i e s to bu i ld the ke rne l p roper lyyum i n s t a l l rng−t o o l s . i 686yum i n s t a l l rpm−bu i ld redhat−rpm−c on f i g un ide fyum i n s t a l l gcc p a t c hu t i l s xmlto a s c i i d o c e l f u t i l s − l i b e l f −deve le l f u t i l s −deve l z l i b−deve l b i nu t i l s−deve l newt−deve l python−deve laudit−l i b s−deve l b i son f l e x hmaccalc per l−ExtUti l s−Embed
# Download l a s t k e rne l s ou r c e s from the o f f i c i a l webs i tecdwget http :// vau l t . centos . org /6 .5/ updates /Source /SPackages/ kerne l−${KERNEL VERSION} . s r c . rpm
# I n s t a l l rpm packet downloadedrpm −ivh kerne l−${KERNEL VERSION} . s r c . rpm
# Before we s ta r t , the re i s need to make systemto gen gpg key by rng−t o o l srngd −r /dev/urandom
# Prepare ke rne l s ou r c e scdcd rpmbuild/SPECSrpmbuild −bp ke rne l . spec
# Moving sour c e s to / usr / s r ccp −R / root / rpmbuild/BUILD/ kerne l−${KERNEL VERSION}/ l inux−${KERNEL VERSION} . i 686 / usr / s r c /
# Patching ke rne l and a c t i v a t e new f e a t u r e s inthe ke rne l c on f i gu r a t i on
cdcd p r o j e c t / redBorder−ndpi /patchcp ndpi −2 .6 . 32 . patch / usr / s r c /cd / usr / s r c /patch −p0 < ndpi −2 .6 . 32 . patchcd l inux−${KERNEL VERSION} . i 686 /
186
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
#we need to remove inc lude /asm tobe ab le to compi le k e rne l a f t e r the patch
rm −r f i n c lude /asmmake menuconfigmakecdcd p r o j e c t / redBirder−ndpi /patch. / inser t new modules . sh
###### Prepare and compi le redBorder−ndpi ########
# Al l o ca t i ng source code proper lycd / usr / s r c /mkdir redBorder−ndpiln −s l inux−${KERNEL VERSION} . i 686 / l inux−dp i p r o j e c tcdcd p r o j e c t / redBorder−ndpi /cp −R nDPI/ / usr / s r c / redBorder−ndpi /cp −R http . c / usr / s r c / redBorder−ndpi
# I n s t a l l i n g patched nDPIcd / usr / s r c / redBorder−ndpi /nDPI/chmod u+x i n s t a l l n d p i . sh. / i n s t a l l n d p i . sh
187
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.16. insert new modules.sh
#!/bin /bash
KERNEL VERSION=$ (uname −r )
s e r v i c e i p t a b l e s stops e r v i c e i p 6 t ab l e s stopcp −R modules /∗ / l i b /modules/$KERNEL VERSION/ extrarmmod n f deg rag ipv4rmmod ipt REJECTrmmod ip6t REJECTdepmod −amodprobe n f d e f r a g i p v 4modprobe n f connt ra ck ipv4modprobe n f connt rackmodprobe x t l 7 s t a t emodprobe x t ndp i c on t r o ls e r v i c e i p t a b l e s r e s t a r t
188
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
12.17. install-trafficgen.sh
#− I n s t a l a r herramientas de d e s a r r o l l o :LANG=C yum g r oup i n s t a l l ”Development t o o l s ”” Server Platform Development”yum i n s t a l l wi resharkpushd / usr / s r c
#− Descargar l a ult ima ve r s i on de l ibpcapwget http ://www. tcpdump . org / r e l e a s e / l ibpcap −1 . 3 . 0 . ta r . gz &&tar xz f l ibpcap −1 . 3 . 0 . t a r . gz &&pushd l ibpcap −1.5 .3 && ./ con f i gu r e &&make &&make i n s t a l l &&popd
#− Descargar l i bdne t l ibpcapnav tcpdump :wget −O l ibdnet −1.11. ta r . gz ”http :// downloads . s ou r c e f o r g e . net /p r o j e c t / l i bdne t / l i bdne t / l ibdnet −1.11/ l ibdnet −1.11. ta r . gz ?r=http %3A%2F%2Fl ibdnet . s ou r c e f o r g e . net %2F&ts =1349957140&use mi r ro r=f r e e f r ”ta r xz f l ibdnet −1.11. ta r . gz &&pushd l ibdnet −1.11 &&./ con f i gu r e &&make &&make i n s t a l l &&popdwget ”http :// downloads . s ou r c e f o r g e . net /netdude/ l ibpcapnav −0.8 . ta r . gz” &&tar xz f l ibpcapnav −0.8 . ta r . gz && pushd l ibpcapnav −0.8 && ./ con f i gu r e &&make &&make i n s t a l l &&popdwget http ://www. tcpdump . org / r e l e a s e /tcpdump−4 . 3 . 0 . ta r . gz &&tar xz f tcpdump−4 . 5 . 1 . t a r . gz &&pushd tcpdump−4.5 .1 &&./ con f i gu r e &&make &&make i n s t a l l &&popd
#− Descargar f u en t e s de t cprep lay :wget −O tcprep lay −3 . 4 . 4 . t a r . gz ”http :// downloads . s ou r c e f o r g e . net / p r o j e c t/ t cprep lay / t cprep lay /3 . 4 . 4 / tcprep lay −3 . 4 . 4 . t a r . gz ? r=http %3A%2F%2Fsource fo rge . net %2Fpro j e c t s %2Ftcpreplay %2F&ts =1349955503&use mi r ro r=f r e e f r ” &&tar xz f tcprep lay −4 . 0 . 3 . t a r . gz &&pushd tcprep lay −4.0 .3 &&./ con f i gu r e &&make &&
189
Proyecto Fin de Carrera Departamento de Ingenierıa Telematica
make i n s t a l l &&popd
#PROCEDIMIENTO para i n s t a l a c i o n de fprobe :
#− Descargar l a ult ima ve r s i on de fprobewget −O fprobe −1.1 . ta r . bz2 ”http :// downloads . s ou r c e f o r g e . net /p r o j e c t / fprobe / fprobe /1 .1/ fprobe −1.1 . ta r . bz2? r=http %3A%2F%2Fsource fo rge . net %2Fpro j e c t s %2Ffprobe %2F&ts =1389265446&use mi r ro r=czn i c ” &&tar x j f fprobe −1.1 . ta r . bz2 &&pushd fprobe −1.1 &&./ con f i gu r e &&make &&make i n s t a l l &&popdpopd
#− I n s t a l a r f low−t o o l srpm −ivh http :// d l . f e d o r ap r o j e c t . org /pub/ epe l /6/x86 64 / epe l−r e l e a s e −6−8.noarch . rpmyum i n s t a l l f low−t o o l s
190