标签:
Android 4.4.4
http://www.netfilter.org/: Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network, as well as for providing ability to prohibit packets from reaching sensitive locations within a computer network.
拒绝让 Internet 的封包进入主机的某些端口口 拒绝让某些来源 IP 的封包进入 拒绝让带有某些特殊标志 (flag) 的封包进入,最常拒绝的就是带有 SYN 的主动联机的flag,只要一经发现就将该封包丢弃 分析硬件地址 (MAC) 来决定联机与否
NF_ACCEPT 继续正常传输数据报,这个返回值告诉 Netfilter:到目前为止,该数据包还是被接受的并且该数据包应当被递交到网络协议栈的下一个阶段。 NF_DROP 丢弃该数据报,不再传输。 NF_STOLEN 回调函数接管该数据报,该回调函数从此开始对数据包的处理,并且Netfilter应当放弃对该数据包做任何的处理。 NF_QUEUE 对该数据报进行排队(通常用于将数据报给用户空间的进程进行处理) NF_REPEAT 再次调用该回调函数,应当谨慎使用这个值,以免造成死循环。 NF_STOP 功能和NF_ACCEPT类似但强于NF_ACCEPT,一旦挂接链表中某个hook节点返回NF_STOP,该skb包就立即结束检查而被其他模块接受,不再需要进入后续hook点检查。
enum { NFPROTO_IPV4 = 2, NFPROTO_ARP = 3, NFPROTO_BRIDGE = 7, NFPROTO_IPV6 = 10, NFPROTO_DECNET = 12, };
(1):NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, dev, NULL,ip_rcv_finish) (2):NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_IN, skb, skb->dev, NULL,ip_local_deliver_finish); (3):NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, skb, skb->dev, rt->u.dst.dev,ip_forward_finish); (4):NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, skb, NULL, skb->dst->dev, dst_output); (5):NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb, NULL, dev,ip_finish_output, cond); NF_HOOK(pf, hook, skb, in, out, okfn) pf:协议栈名称,定义在socket.h (kernel\include\linux) hook:HOOK点的名字,对于IPv4就是上述五个值 skb:内核中网络数据包的结构体 in:数据包进来的设备,以struct net_device结构表示 out:数据包出去的设备,以struct net_device结构表示 okfn:函数指针,该HOOK点的所有登记的函数调用完后调用该函数
iptables维护这三张表,查看或设置使用参数-t:
iptables -t filter -L iptables -t nat -L iptables -t mangle -L
ip_tables.c (kernel\net\ipv4\netfilter) 56679 2016-03-08 static int __init ip_tables_init(void) { /* Register setsockopt */ ret = nf_register_sockopt(&ipt_sockopts); if (ret < 0) goto err5; pr_info("(C) 2000-2006 Netfilter Core Team\n"); // 系统启动打印该log return 0; } static void __exit ip_tables_fini(void) module_init(ip_tables_init); module_exit(ip_tables_fini);
ip_tables.c (kernel\net\ipv4\netfilter) static struct nf_sockopt_ops ipt_sockopts = { .set = do_ipt_set_ctl, .get = do_ipt_get_ctl, .owner = THIS_MODULE, };
ip_tables.c (kernel\net\ipv4\netfilter) static int do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) { switch (cmd) { case IPT_SO_SET_REPLACE: ret = do_replace(sock_net(sk), user, len); break; case IPT_SO_SET_ADD_COUNTERS: ret = do_add_counters(sock_net(sk), user, len, 0); break; default: ret = -EINVAL; } return ret; } static intdo_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) { switch (cmd) { case IPT_SO_GET_INFO: ret = get_info(sock_net(sk), user, len, 0); break; case IPT_SO_GET_ENTRIES: ret = get_entries(sock_net(sk), user, len); break; case IPT_SO_GET_REVISION_MATCH: case IPT_SO_GET_REVISION_TARGET: break; } default: ret = -EINVAL; } return ret; }
root@KoolRegister:/ # iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination bw_INPUT all -- anywhere anywhere fw_INPUT all -- anywhere anywhere
CommandListener.cpp (system\netd) CommandListener::CommandListener(UidMarkMap *map) :FrameworkListener("netd", true) { // Create chains for children modules createChildChains(V4V6, "filter", "INPUT", FILTER_INPUT); createChildChains(V4V6, "filter", "FORWARD", FILTER_FORWARD); createChildChains(V4V6, "filter", "OUTPUT", FILTER_OUTPUT); createChildChains(V4V6, "raw", "PREROUTING", RAW_PREROUTING); createChildChains(V4V6, "mangle", "POSTROUTING", MANGLE_POSTROUTING); createChildChains(V4V6, "mangle", "OUTPUT", MANGLE_OUTPUT); createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING); createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING); }
CommandListener.cpp (system\netd) /** * List of module chains to be created, along with explicit ordering. ORDERING * IS CRITICAL, AND SHOULD BE TRIPLE-CHECKED WITH EACH CHANGE. */ static const char* FILTER_INPUT[] = { // Bandwidth should always be early in input chain, to make sure we // correctly count incoming traffic against data plan. BandwidthController::LOCAL_INPUT, // "bw_INPUT" FirewallController::LOCAL_INPUT, // "fw_INPUT" NULL, }; 【log截图中绿色框部分】 void createChildChains(IptablesTarget target, const char* table, const char* parentChain, const char** childChains); -->int execIptablesSilently(IptablesTarget target, ...); ---->int execIptables(IptablesTarget target, bool silent, va_list args) { const char *argv[argsList.size()]; ... argv[0] = IPTABLES_PATH; // IPTABLES_PATH = "/system/bin/iptables" } ------>int execIptablesCommand(int argc, const char *argv[], bool silent); -------->int android_fork_execvp(int argc, char* argv[], int *status,boolignore_int_quit, bool logwrap) { pid = fork(); if (pid == 0) { child(argc, argv); } } ---------->static void child(int argc, char* argv[]) { // create null terminated argv_child array char* argv_child[argc + 1]; memcpy(argv_child, argv, argc * sizeof(char *)); argv_child[argc] = NULL; if (execvp(argv_child[0], argv_child)) { FATAL_CHILD("executing %s failed: %s\n", argv_child[0], strerror(errno)); } }还有一个地方,也用iptables命令设置了规则表:
int NatController::setupIptablesHooks() { res = setDefaults(); 【log截图中蓝色框部分】 struct CommandsAndArgs defaultCommands[] = { {{IPTABLES_PATH, "-F", LOCAL_TETHER_COUNTERS_CHAIN,}, 0}, {{IPTABLES_PATH, "-X", LOCAL_TETHER_COUNTERS_CHAIN,}, 0}, {{IPTABLES_PATH, "-N", LOCAL_TETHER_COUNTERS_CHAIN,}, 1}, }; for (unsigned int cmdNum = 0; cmdNum < ARRAY_SIZE; cmdNum++) { if (runCmd(ARRAY_SIZE, defaultCommands[cmdNum].cmd) && defaultCommands[cmdNum].checkRes) {} } }
【log截图中黄色框部分】 int NatController::setDefaults() { struct CommandsAndArgs defaultCommands[] = { {{IPTABLES_PATH, "-F", LOCAL_FORWARD,}, 1}, {{IPTABLES_PATH, "-A", LOCAL_FORWARD, "-j", "DROP"}, 1}, {{IPTABLES_PATH, "-t", "nat", "-F", LOCAL_NAT_POSTROUTING}, 1}, {{IP_PATH, "rule", "flush"}, 0}, {{IP_PATH, "-6", "rule", "flush"}, 0}, {{IP_PATH, "rule", "add", "from", "all", "lookup", "default", "prio", "32767"}, 0}, {{IP_PATH, "rule", "add", "from", "all", "lookup", "main", "prio", "32766"}, 0}, {{IP_PATH, "-6", "rule", "add", "from", "all", "lookup", "default", "prio", "32767"}, 0}, {{IP_PATH, "-6", "rule", "add", "from", "all", "lookup", "main", "prio", "32766"}, 0}, {{IP_PATH, "route", "flush", "cache"}, 0}, }; for (unsigned int cmdNum = 0; cmdNum < ARRAY_SIZE; cmdNum++) { if (runCmd(ARRAY_SIZE, defaultCommands[cmdNum].cmd) && defaultCommands[cmdNum].checkRes) {} } } int NatController::runCmd(int argc, const char **argv) { res = android_fork_execvp(argc, (char **)argv, NULL, false, false); ALOGV("runCmd(%s) res=%d", full_cmd.c_str(), res); return res; }
参考资料:
1、鸟哥的Linux私房菜服务器架设篇(第三版)——第九章、防火墙与 NAT 服务器 2、http://www.netfilter.org/ 3、iptables使用文档:https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html 4、系列: (一)洞悉linux下的Netfilter&iptables:什么是Netfilter?() (二)洞悉linux下的Netfilter&iptables:内核中的ip_tables小觑 (http://blog.chinaunix.net/uid-23069658-id-3162264.html) (三)洞悉linux下的Netfilter&iptables:内核中的rule,match和target (http://blog.chinaunix.net/uid-23069658-id-3163999.html) (四)洞悉linux下的Netfilter&iptables:包过滤子系统iptable_filter (http://blog.chinaunix.net/uid-23069658-id-3166140.html)
arp_tables.c (kernel\net\ipv4\netfilter) BandwidthController.cpp (system\netd) BandwidthController.h (system\netd) CommandListener.cpp (system\netd) CommandListener.h (system\netd) core.c (kernel\net\netfilter) FirewallController.cpp (system\netd) FirewallController.h (system\netd) iptables.h (external\iptables\include) iptable_filter.c (kernel\net\ipv4\netfilter) iptable_nat.c (kernel\net\ipv4\netfilter) iptable_raw.c (kernel\net\ipv4\netfilter) ip_forward.c (kernel\net\ipv4) ip_input.c (kernel\net\ipv4) ip_output.c (kernel\net\ipv4) ip_tables.c (kernel\net\ipv4\netfilter) ip_tables.h (kernel\include\linux\netfilter_ipv4) ip_tables.h (kernel\include\uapi\linux\netfilter_ipv4) kmod.h (kernel\include\linux) logwrap.c (system\core\logwrapper) logwrap.h (system\core\logwrapper\include\logwrap) NetdCommand.cpp (system\netd) NetdCommand.h (system\netd) NetdConstants.cpp (system\netd) NetdConstants.h (system\netd) netfilter.h (kernel\include\linux) netfilter.h (kernel\include\uapi\linux) nfnetlink.c (kernel\net\netfilter) nf_sockopt.c (kernel\net\netfilter) socket.h (kernel\include\linux) x_tables.c (kernel\net\netfilter) x_tables.h (kernel\include\linux\netfilter) x_tables.h (kernel\include\uapi\linux\netfilter)
Android网络安全:Netfilter与iptables
标签:
原文地址:http://blog.csdn.net/u013686019/article/details/51474135