Layer7与IPP2P的问题

lan_6373836 2010-03-15 03:06:03

L7的源码看过来一遍也没有发现他是检测10多个包，只检测10个包在代码什么地方体现的呢？IPP2P的检测每一个包又在那体现呢？我想在L7的基础上做一个每个包都检测的程序如何实现呢？请大家知道的帮帮忙给个思路？谢了!

...全文

198 11 打赏收藏转发到动态举报

写回复

用AI写文章

11 条回复

切换为时间正序

请发表友善的回复…

发表回复

lan_6373836 2010-12-14

打赏
举报

L7那个早搞定了，也快忘完了.....
呵呵。。。。

csu113 2010-11-26

打赏
举报

楼主研究的怎样拉？最近我也在看这部分，不知道楼主对xt_layer7.c这个代码有没有很深的了解，有好多问题想问下

lan_6373836 2010-03-16

打赏
举报

依然谢谢steptodream，你给我了很多帮助，也谢谢关注的朋友，正式开始钻研了

steptodream 2010-03-16

打赏
举报

不是做开发的要说到具体的实现 I've no idea.

lan_6373836 2010-03-16

打赏
举报

太感谢了steptodream和lvyinghong，大家一起来讨论下，这两个都经常用到，我现在想把他们两个的优点简单的综合下即：
数据流->IPP2P->Layer7(实现每个包匹配)
由于IPP2P只标记P2P数据流中的TCP、UDP数据包，所以我想让他们（除TCP、UDP外的数据包）由Layer7匹配，请大家探讨下如果在IPP2P源码的基础上结合Layer7源码怎么实现呢？
谢谢了

lvyinghong 2010-03-15

打赏
举报

iptables里面有一种叫做 conntrack 的技术，可以记录连接状态，可以知道每个网络包是属于哪个连接的，

就是上面那个函数， ip_conntrack_get((struct sk_buff *)skb 可以知道那个skb对应那个连接。

看楼上发的代码，layer7应该是自己维护了一个master_conntrack 结构，用来统计连接里面的第几个包的。

steptodream 2010-03-15

打赏
举报

对了num_packets定义的地方是有注释的
/* Number of packets whose data we look at.
This can be modified through /proc/net/layer7_numpackets */
static int num_packets = 10;

steptodream 2010-03-15

打赏
举报



#define TOTAL_PACKETS master_conntrack->layer7.numpackets

static int num_packets = 10;

/* Returns true on match and false otherwise.  */

static int match(/* const */struct sk_buff *skb, const struct net_device *in,

                 const struct net_device *out, const void *matchinfo,

                 int offset,               int *hotdrop)

{

        struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;

        enum ip_conntrack_info master_ctinfo, ctinfo;

        struct ip_conntrack *master_conntrack, *conntrack;

        unsigned char * app_data;

        unsigned int pattern_result, appdatalen;

        regexp * comppattern;



        if(!can_handle(skb)){

                DPRINTK("layer7: This is some protocol I can't handle.\n");

                return info->invert;

        }



        /* Treat the parent and all its children together as one connection,

        except for the purpose of setting conntrack->layer7.app_proto in the

        actual connection. This makes /proc/net/ip_conntrack somewhat more

        satisfying. */

        if(!(conntrack  = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) ||

           !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) {

                DPRINTK("layer7: packet is not from a known connection, giving up.\n");

                return info->invert;

        }



        /* Try to get a master conntrack (and its master etc) for FTP, etc. */

        while (master_ct(master_conntrack) != NULL)

                master_conntrack = master_ct(master_conntrack);



        if(!skb->cb[0]){

                WRITE_LOCK(&ct_lock);

                master_conntrack->layer7.numpackets++;/*starts at 0 via memset*/

                WRITE_UNLOCK(&ct_lock);

        }



        /* if we've classified it or seen too many packets */

        if(TOTAL_PACKETS > num_packets ||

           master_conntrack->layer7.app_proto) {



                pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);



                /* skb->cb[0] == seen. Avoid doing things twice if there are two l7

                rules. I'm not sure that using cb for this purpose is correct, although

                it says "put your private variables there". But it doesn't look like it

                is being used for anything else in the skbs that make it here. How can

                I write to cb without making the compiler angry? */

                skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */



                return (pattern_result ^ info->invert);

        }



        if(skb_is_nonlinear(skb)){

                if(skb_linearize(skb, GFP_ATOMIC) != 0){

                        if (net_ratelimit())

                                printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n");

                        return info->invert;

                }

        }



        /* now that the skb is linearized, it's safe to set these. */

        app_data = skb->data + app_data_offset(skb);

        appdatalen = skb->tail - app_data;



        LOCK_BH(&list_lock);

        /* the return value gets checked later, when we're ready to use it */

        comppattern = compile_and_cache(info->pattern, info->protocol);

        UNLOCK_BH(&list_lock);



        /* On the first packet of a connection, allocate space for app data */

        WRITE_LOCK(&ct_lock);

        if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {

                master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);

                if(!master_conntrack->layer7.app_data){

                        if (net_ratelimit())

                                printk(KERN_ERR "layer7: out of memory in match, bailing.\n");

                        WRITE_UNLOCK(&ct_lock);

                        return info->invert;

                }



                master_conntrack->layer7.app_data[0] = '\0';

        }

        WRITE_UNLOCK(&ct_lock);



        /* Can be here, but unallocated, if numpackets is increased near

        the beginning of a connection */

        if(master_conntrack->layer7.app_data == NULL)

                return (info->invert); /* unmatched */



        if(!skb->cb[0]){

                int newbytes;

                WRITE_LOCK(&ct_lock);

                newbytes = add_data(master_conntrack, app_data, appdatalen);

                WRITE_UNLOCK(&ct_lock);



                if(newbytes == 0) { /* didn't add any data */

                        skb->cb[0] = 1;

                        /* Didn't match before, not going to match now */

                        return info->invert;

                }

        }



        /* If looking for "unknown", then never match.  "Unknown" means that

        we've given up; we're still trying with these packets. */

        if(!strcmp(info->protocol, "unknown")) {

                pattern_result = 0;

        /* If the regexp failed to compile, don't bother running it */

        } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {

                DPRINTK("layer7: regexec positive: %s!\n", info->protocol);

                pattern_result = 1;

        } else pattern_result = 0;



        if(pattern_result) {

                WRITE_LOCK(&ct_lock);

                master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);

                if(!master_conntrack->layer7.app_proto){

                        if (net_ratelimit())

                                printk(KERN_ERR "layer7: out of memory in match, bailing.\n");

                        WRITE_UNLOCK(&ct_lock);

                        return (pattern_result ^ info->invert);

                }

                strcpy(master_conntrack->layer7.app_proto, info->protocol);

                WRITE_UNLOCK(&ct_lock);

        }



        /* mark the packet seen */

        skb->cb[0] = 1;



        return (pattern_result ^ info->invert);

}



/* write out num_packets to userland. */

static int layer7_read_proc(char* page, char ** start, off_t off, int count,

                    int* eof, void * data)

{

       if(num_packets > 99 && net_ratelimit())

               printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");



       page[0] = num_packets/10 + '0';

       page[1] = num_packets%10 + '0';

       page[2] = '\n';

       page[3] = '\0';



       *eof=1;



       return 3;

}