Assignment 10: Programming: Programmable Network Filter

This assignment is to be completed by your group.

Overview

The Linux kernel features the netfilter/iptables subsystem, which allows to filter incoming and outgoing network packets. This can be used for building firewalls, network address translators (NATs), and quality-of-service features in Linux-based end systems and routers.

Netfilter, through its iptables command, can be instructed to accept, reject, log or queue packets.

As part of this assignment, you will enhance the netfilter package with deep packet inspection functionality. Deep packet inspection looks "inside" the payload of the packet, and filters based on content. Real systems parse HTTP elements or even XML, but this assignment simply adds a string-based filter. In other words, the filter scans each incoming or outgoing packet for a particular string, using the strstr() function. If the string is found in the packet, the filter matches, and netfilter will then take appropriate action, such as logging or discarding the packet.

Details

You should start by familiarizing yourself with netfilter, using the documentation provided online. As an exercise, create an ipfilter entry that logs UDP packets sent to port 4567, using your UDP test tools (see "Deliverables" below).

Then, develop your extension. Your ipfilter extension should take the --string argument to accept a string of any length. Matching is exact, i.e., case-sensitive.

Deliverables

Below is a summary of the deliverables:

A description of how to set up an iptables filter for logging UDP packets, as described above, including the log file.
An installable netfilter patch package, according to the netfilter extensions HOWTO, suitable for Linux 2.6. (You do not have to test or implement features needed only for earlier versions of Linux.) You should test and document that it allows rejecting or logging packets with the designated string and that the module shows up properly when invoking iptables -L.
A test program, written in C/C++ or Java, that sends UDP packets with a given string to an IP address, e.g., to port 4567 on host 128.59.16.1:
```
 $  udp_sender 128.59.16.1 4567 "Hello world!"
```
A test program, again written in C or Java, that receives UDP packets and displays them:
```
 $ udp_receiver 4567
 Hello world!
 Another message
```

Hints

The netfilter web site contains information on how to extend the netfilter source. You can find examples of netfilter extensions in the section on the netfilter/iptables patch-o-matic system, as well as the Netfilter Extensions HOWTO. If you run into difficulties, you might first want to install one of the simpler extensions, such as U32, and see how they work.

What to Submit

You must submit a single file named .tar.gz or .tgz. Any other filename and we will dock points! The tar file should contain the the kernel patch, the README file, sample output and testing programs.

Your README file should describe what changes you made to the kernel, how to run your test programs and what the expected output should be.

For each programming part, if your program(s) do not work, you must submit file named nonworking.txt. Inside this file, you need to describe what problems you ran into, where your program fails and what you think are the reasons.

Last updated by Henning Schulzrinne