四 Linux下防火墙的实现之三（checkpoint FW1）

让我们看看checkpoint的在linux上的防火墙是如何实现的，最终我们会发现，竟然和lkm使用的手段差不多：）

fw1通过dev_add_pack的办法加载输入过滤函数，但是在net_bh()中，传往网络层的skbuff是克隆的,即
skb2=skb_clone(skb, GFP_ATOMIC);
if(skb2)
pt_prev->func(skb2, skb->dev, pt_prev);
而fw1是怎么解决这个问题的呢？见下面的代码：

输入一：

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 4

; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?

; Attributes: bp-based frame

public fwinstallin
fwinstallin proc near ; CODE XREF: fwinstall+E9 p
; fwinstall+149 p

var_18 = byte ptr -18h
arg_0 = dword ptr 8

push ebp
mov ebp, esp
sub esp, 10h
push esi
push ebx
mov esi, ds:dev_base
cmp [ebp+arg_0], 0
jz short loc_0_802CBD0
add esp, 0FFFFFFF4h
push offset fw_ip_packet_type
call dev_add_pack
mov ebx, fw_ip_packet_type+10h ;如果考虑字节对齐问题的话fw_ip_packet_type+10h这时应该是ip_packet_type
mov dword ptr ds:fw_type_list, ebx
jmp short loc_0_802CB9C
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 4

loc_0_802CB90: ; CODE XREF: fwinstallin+41 j
add esp, 0FFFFFFF4h
push ebx
call dev_remove_pack ;fw1把ip_packet_type歇载掉了，然后自己在自己的处理函数(fw_filterin)中调ip_recv
mov ebx, [ebx+10h]

loc_0_802CB9C: ; CODE XREF: fwinstallin+2D j
add esp, 10h
test ebx, ebx
jnz short loc_0_802CB90
test esi, esi
jz short loc_0_802CC14

loc_0_802CBA7: ; CODE XREF: fwinstallin+68 j
test byte ptr fwdebug, 81h
jz short loc_0_802CBC3
add esp, 0FFFFFFF8h
mov eax, [esi]
push eax
push offset aFwinstallinS ; "fwinstallin: %s\n"
call fwkdebug_printf
add esp, 10h

loc_0_802CBC3: ; CODE XREF: fwinstallin+4E j
mov esi, [esi+28h]
test esi, esi
jnz short loc_0_802CBA7
jmp short loc_0_802CC14
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 8

loc_0_802CBD0: ; CODE XREF: fwinstallin+12 j
cmp dword ptr ds:fw_type_list, 0
jz short loc_0_802CC14
add esp, 0FFFFFFF4h
push offset fw_ip_packet_type
call dev_remove_pack
add esp, 10h
cmp dword ptr ds:fw_type_list, 0
jz short loc_0_802CC14

loc_0_802CBF2: ; CODE XREF: fwinstallin+B2 j
add esp, 0FFFFFFF4h
mov eax, dword ptr ds:fw_type_list
push eax
call dev_add_pack
mov eax, dword ptr ds:fw_type_list
add esp, 10h
mov eax, [eax+10h]
mov dword ptr ds:fw_type_list, eax
test eax, eax
jnz short loc_0_802CBF2

loc_0_802CC14: ; CODE XREF: fwinstallin+45 j
; fwinstallin+6A j ...
lea esp, [ebp+var_18]
xor eax, eax
pop ebx
pop esi
mov esp, ebp
pop ebp
retn
fwinstallin endp

输入二：
public fw_ip_packet_type
fw_ip_packet_type dd 8, 0, offset fw_filterin, 2 dup(0) ; DATA XREF: fwinstallin+17 o


输出的挂载和lkm的手法一样，更改dev->hard_start_xmit。dev结构在2.2版本的发展过程中变了一次，
为了兼容fw1对这点也做了处理。


输出一：
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 4

; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?

; Attributes: bp-based frame

public fwinstallout
fwinstallout proc near ; CODE XREF: fwinstall+FB p
; fwinstall+153 p

var_18 = byte ptr -18h
arg_0 = dword ptr 8

push ebp
mov ebp, esp
sub esp, 0Ch
push edi
push esi
push ebx
mov edi, [ebp+arg_0]
xor esi, esi
mov ebx, ds:dev_base
jmp short loc_0_802D0A8
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?

loc_0_802D096: ; CODE XREF: fwinstallout+50 j
add esp, 0FFFFFFFCh
push edi
push esi
push ebx
call installout_on_device
add esp, 10h
mov ebx, [ebx+28h]
inc esi

loc_0_802D0A8: ; CODE XREF: fwinstallout+14 j
test ebx, ebx
jz short loc_0_802D0F8
test byte ptr fwdebug, 81h
jz short loc_0_802D0CD
xor eax, eax
mov ax, [ebx+50h]
push eax
mov eax, [ebx]
push eax
push esi
push offset aFwinstalloutIn ; "fwinstallout: interface %d: name=%s, fl"...
call fwkdebug_printf
add esp, 10h

loc_0_802D0CD: ; CODE XREF: fwinstallout+33 j
cmp esi, 3Fh
jle short loc_0_802D096
add esp, 0FFFFFFF8h
push 40h
push offset aFw1CanOnlyHand ; "FW-1: Can only handle %d interfaces\n"
call fwkdebug_printf
add esp, 10h
test edi, edi
jz short loc_0_802D0F8
add esp, 0FFFFFFF4h
push offset aFw1NotAllInter ; "FW-1: Not all interfaces installed\n"
call fwkdebug_printf
add esp, 10h

loc_0_802D0F8: ; CODE XREF: fwinstallout+2A j
; fwinstallout+66 j
mov fw_nif, esi
test byte ptr fwdebug, 81h
jz short loc_0_802D124
add esp, 0FFFFFFFCh
mov eax, offset aUn ; "un"
test edi, edi
jz short loc_0_802D118
mov eax, offset unk_0_80687E4

loc_0_802D118: ; CODE XREF: fwinstallout+91 j
push eax
push esi
push offset aFw1DInterfaces ; "FW-1: %d interfaces %sinstalled\n"
call fwkdebug_printf

loc_0_802D124: ; CODE XREF: fwinstallout+85 j
lea esp, [ebp+var_18]
xor eax, eax
pop ebx
pop esi
pop edi
mov esp, ebp
pop ebp
retn
fwinstallout endp

输出二：

　

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 10h

; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?

; Attributes: bp-based frame

public installout_on_device
installout_on_device proc near ; CODE XREF: fwinstallout+1C p

var_18 = byte ptr -18h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h

push ebp
mov ebp, esp
sub esp, 0Ch
push edi
push esi
push ebx
mov edi, [ebp+arg_0]
mov esi, [ebp+arg_4]
mov ebx, [ebp+arg_8]
add esp, 0FFFFFFF4h
push edi
call xmit_func_addr
mov [ebp+var_4], eax
add esp, 10h
test ebx, ebx
jz short loc_0_802CFD4
mov ebx, esi
shl ebx, 4
cmp (oftab+4)[ebx], 0
jz short loc_0_802CF90
add esp, 0FFFFFFF4h
push offset aFw1OutputFilte ; "FW-1: Output filter already installed\n"
call fwkdebug_printf
mov eax, 6Ah
jmp loc_0_802D074

输出三：

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 8

; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?

; Attributes: bp-based frame

public xmit_func_addr
xmit_func_addr proc near ; CODE XREF: installout_on_device+16 p

arg_0 = dword ptr 8

push ebp
mov ebp, esp
mov edx, [ebp+arg_0]
lea eax, [edx+0ACh]
cmp kver, 0Dh
jle short loc_0_802CB5B
lea eax, [edx+0B0h]

loc_0_802CB5B: ; CODE XREF: xmit_func_addr+13 j
mov esp, ebp
pop ebp
retn
xmit_func_addr endp

FW1与linux的一些比较，可以参看参考文献【11】


    五 参考文献
    【1】了解Check Point FW-1状态表
http://magazine.nsfocus.com/detail.asp?id=538
    【2】A Stateful Inspection of FireWall-1
http://www.dataprotect.com/bh2000/
    【3】Linux IPCHAINS-HOWTO
http://www.linuxdoc.org
    【4】防火墙新生代：Stateful－inspection
http://www.liuxuan.com/safe/anquan/html/firewall/04.htm
    【5】netfilter站点上的文档
http://netfilter.kernelnotes.org
    【6】Application Gateways and Stateful Inspection:A Brief
Note Comparing and Contrasting
http://www.avolio.com/apgw+spf.html
    【7】Internet Firewalls:Frequently Asked Questions
http://www.interhack.net/pubs/fwfaq
    【8】Writing a Module for netfilter
http://www.linux-mag.com/2000-06/gear_01.html
    【9】ipchains的源代码分析
http://www.lisoleg.net/lisoleg/network/ipchains.zip
    【10】内核防火墙netfilter入门
http://magazine.nsfocus.com/detail.asp?id=637
    【11】Check Point Firewall-1 on Linux, Part Two
http://www.securityfocus.com/frames/?
focus=linux&content=/focus/linux/articles/checkpoint2.html