Netfilter Linux Kernel IPv4 IPv6 Ethernet iptables IPv4 ip6tables IPv6 ebtables Ethernet API Kernel

Netfilter(iptables) Winny/Share @

IPP2P P2P Netfilter edonkey emule Kademlia KaZaA FastTrack Gnutella Direct Connect BitTorrent extended BT AppleJuice WinMX SoulSeek Ares AresLite (1): BitTorrent AppleJuice WinMx SoulSeek Ares iptables -A FORWARD -m ipp2p --bit --apple --winmx --soul --ares -j DROP (2): IPP2P P2P iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1 Winny Share

: BitTorrent 198.51.100.65 -> 203.0.113.38 UDP Source port: 64297 Destination port: 21903 0000 00 a0 de 30 02 e9 52 54 00 04 74 25 08 00 45 00 0010 00 74 fc 49 00 00 80 11 e1 f6 ac 1f 02 c9 7d 0e 0020 30 42 fb 29 55 8f 00 60 de e8 01 00 0a dd 0b f3 0030 55 55 e3 67 02 30 00 38 00 00 2c d7 35 dd 13 42 0040 69 74 54 6f 72 72 65 6e 74 20 70 72 6f 74 6f 63 0050 6f 6c 00 00 00 00 00 10 00 05 53 c7 fe 82 4b 9a 0060 c2 a6 b8 c4 84 b8 6a da fe 6e 46 b1 18 89 4d 37 0070 2d 32 2d 31 2d 2d b9 62 24 77 06 d8 f4 d7 63 53 0080 69 85 203.0.113.38 -> 198.51.100.65 BitTorrent protocol UDP Source port: 21903 Destination port: 64297 0000 52 54 00 04 74 25 00 a0 de 30 02 e9 08 00 45 00 0010 03 77 0c 71 00 00 71 11 dd cc 7d 0e 30 42 ac 1f 0020 02 c9 55 8f fb 29 03 63 2d 80 01 00 0a dc 28 8c 0030 f9 2a 1c 99 5e ed 00 03 20 00 35 de 2c d7 13 42 0040 69 74 54 6f 72 72 65 6e 74 20 70 72 6f 74 6f 63 0050 6f 6c 00 00 00 00 00 10 00 05 53 c7 fe 82 4b 9a

Winny 198.51.100.65 -> 203.0.113.38 TCP 1323 > 4526 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 203.0.113.38 -> 198.51.100.65 TCP 4526 > 1323 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 198.51.100.65 -> 203.0.113.38 TCP 1323 > 4526 [ACK] Seq=1 Ack=1 Win=65535 Len=0 198.51.100.65 -> 203.0.113.38 TCP 1323 > 4526 [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=11 0030 ff ff 8f ee 00 00 79 18 a5 38 5e ed 83 1e 6d 8d 0040 5b 203.0.113.38 -> 198.51.100.65 TCP 4526 > 1323 [PSH, ACK] Seq=1 Ack=12 Win=64240 Len=11 0030 fa f0 e4 66 00 00 df a3 b2 17 26 bf bd 1d ff dd 0040 04

Share 198.51.100.65 -> 203.0.113.38 TCP 1295 > 1234 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 203.0.113.38 -> 198.51.100.65 TCP 1234 > 1295 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 198.51.100.65 -> 203.0.113.38 TCP 1295 > 1234 [ACK] Seq=1 Ack=1 Win=131072 Len=0 203.0.113.38 -> 198.51.100.65 TCP 1234 > 1295 [PSH, ACK] Seq=1 Ack=1 Win=131072 Len=158 0000 52 54 00 04 74 25 52 54 00 17 ed ce 08 00 45 00 0010 00 c6 06 c5 40 00 80 06 06 61 7b 7b 7b 0a 7b 7b 0020 7b 0b 30 39 05 0f ba 78 61 a8 bf 18 25 d1 50 18 0030 80 00 5f d8 00 00 ae 3e c6 36 ef 73 05 8e fa ff 0040 0f 3a 9b 2b 4b 28 5b 34 82 4d 6b 87 ac 53 55 df 0050 ec 3e 1c 5c be 58 6d 50 47 5f f9 f1 27 be 91 56 0060 d6 45 59 a8 bb b9 78 bc 13 09 98 40 af ce 47 8d

: Winny/Share Seq PC1:1234 PC2:2345 123456 Winny : : : PC 1 Syn Ack Linux Syn/Ack PC 2 Seq = 123457 Winny/Share

Netfilter Conntrack TCP UDP Netfilter FTP PPTP GRE NAT ESTABLISHED NEW nf_conntrack sk_buff iptables

: Winny/Share Seq PC1:1234 PC2:2345 123456 Winny : : : nf_conntrack_ipp2p Winny/Share PC 1 Syn Linux ipt_ipp2p --winny/--share Ack Syn/Ack Seq = 123457 PC 2 --winny/--share : nf_conntrack_ipp2p

nf_conntrack_ipp2p static struct nf_conntrack_helper ipp2p read_mostly; static int init nf_conntrack_ipp2p_init(void) { arc4 = crypto_alloc_blkcipher("ecb(arc4)", 0, CRYPTO_ALG_ASYNC);. sha1 = crypto_alloc_hash("sha1", 0, CRYPTO_ALG_ASYNC); ipp2p.tuple.src.l3num = PF_INET; ipp2p.tuple.src.u.tcp.port = htons(0); ipp2p.tuple.dst.protonum = IPPROTO_TCP; ipp2p.expect_policy = &ipp2p_exp_policy; ipp2p.me = THIS_MODULE; ipp2p.help = help; ipp2p.name = ipp2p_name; ret = nf_conntrack_helper_register(&ipp2p); } module_init(nf_conntrack_ipp2p_init); module_exit(nf_conntrack_ipp2p_fini);

nf_conntrack_ipp2p static int help(struct sk_buff *skb, unsigned int protoff, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { int dir = CTINFO2DIR(ctinfo); struct nf_ct_ipp2p_master *ct_ipp2p_info = &nfct_help(ct)->help.ct_ipp2p_info; if (ntohl(th->seq) == ct_ipp2p_info->seq + 1) { switch (datalen) { case 11: if (winny_test(data)) ct_ipp2p_info->flag = NF_CT_IPP2P_WINNY; break; case 158: if (share_test(data, ntohs(th->source))) ct_ipp2p_info->flag = NF_CT_IPP2P_SHARE; break; } } }

: Winny RC4 Linux Kernel Crypto API ARC4 11 3 6 7 11 0x0100000061 Winny u8 *key = &data_head[2]; u8 *data = &data_head[6]; crypto_blkcipher_setkey(arc4, key, 4); sg_init_one(&sgi, data, 5); sg_init_one(&sgo, buf, 5); crypto_blkcipher_decrypt(&cdesc, &sgo, &sgi, 5); if (buf[0] == 0x01 && buf[1] == 0x00 && buf[2] == 0x00 && buf[3] == 0x00 && buf[4] == 0x61) ret = 1;

: Share TCP 2 SHA1 20 20 CFB Cipher FeedBack RC6 4 0x02000000 Share crypto_hash_init(&hdesc); sg_init_one(&sg, (u8 *)&port, 2); crypto_hash_update(&hdesc, &sg, 2); crypto_hash_final(&hdesc, hash); share_inits(s, hash); share_decrypt_cfb(data, buf, s); if (buf[0] == 0x02 && buf[1] == 0x00 && buf[2] == 0x00 && buf[3] == 0x00) ret = 1;

ipt_ipp2p static bool match_ct(const struct sk_buff *skb, const struct ipt_p2p_info *info) { enum ip_conntrack_info ctinfo; struct nf_conn * ct = nf_ct_get(skb, &ctinfo); struct nf_conn_help * help = nfct_help(ct); if (info->cmd & IPP2P_WINNY && help->help.ct_ipp2p_info.flag == NF_CT_IPP2P_WINNY) return true; if (info->cmd & IPP2P_SHARE && help->help.ct_ipp2p_info.flag == NF_CT_IPP2P_SHARE) return true; return false; } static bool match(const struct sk_buff *skb, struct xt_action_param *par) { if (match_ct(skb, par->matchinfo)) return true;

: static struct nf_conntrack_helper * nf_ct_helper_find(const struct nf_conntrack_tuple *tuple) { struct nf_conntrack_helper *helper; + struct nf_conntrack_tuple tuple_tmp; h = helper_hash(tuple); hlist_for_each_entry_rcu(helper, n, &nf_ct_helper_hash[h], hnode) { if (nf_ct_tuple_src_mask_cmp(tuple, &helper->tuple, &mask)) return helper; } + tuple_tmp = *tuple; tuple_tmp.src.u.tcp.port = htons(0); + h = helper_hash(&tuple_tmp); + hlist_for_each_entry_rcu(helper, n, &nf_ct_helper_hash[h], + hnode) { + if (nf_ct_tuple_src_mask_cmp(&tuple_tmp, + &helper->tuple, &mask)) + return helper; + } return NULL;

: static u8 *ipp2p_buf; static DEFINE_SPINLOCK(nf_ipp2p_lock); static int help(struct sk_buff *skb, unsigned int protoff, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { spin_lock_bh(&nf_ipp2p_lock); data = skb_header_pointer(skb, off, len, ipp2p_buf); if (ntohl(th->seq) == ct_ipp2p_info->seq + 1) { switch (len) { case 11: if (winny_test(data)) ct_ipp2p_info->flag = NF_CT_IPP2P_WINNY; break; case 158: if (share_test(data, ntohs(th->source))) ct_ipp2p_info->flag = NF_CT_IPP2P_SHARE; break; } }

1: Vyatta Vyatta Vyatta Linux Vyatta Vyatta : : Vyatta Principal Engineer Stephen Hemminger : OpenBSD

2: Interop Ed. Con. Vyatta 6 10 ( ) 10:20-11:50 Interop Vyatta Vyatta Vyatta

NF_HOOK net/ipv4/ip_input.c: int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev) { return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, dev, NULL, ip_rcv_finish); net/ipv4/ip_forward.c: int ip_forward(struct sk_buff *skb) { return NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, skb, skb->dev, rt->u.dst.dev, ip_forward_finish);

NF_HOOK NF_INET_PRE_ROUTING [routing] NF_INET_LOCAL_IN NF_INET_FORWARD [routing] NF_INET_LOCAL_OUT NF_INET_POST_ROUTING

NF_INET_PRE_ROUTING [routing] NF_INET_LOCAL_IN NF_INET_FORWARD [routing] NF_INET_LOCAL_OUT NF_INET_POST_ROUTING

nf_hooks struct list_head[][] : [IPV4][PRE_ROUTING] [IPV4][LOCAL_IN] [IPV4][FORWARD] [IPV4][LOCAL_OUT] [IPV4][POST_ROUTING] : [IPV6][PRE_ROUTING] [IPV6][LOCAL_IN] [IPV6][FORWARD] [IPV6][LOCAL_OUT] [IPV6][POST_ROUTING] : struct nf_hook_ops hook : priority hook : priority = ipv4_conntrack_in = -200 struct nf_hook_ops hook : priority = iptable_mangle_hook = -150 struct nf_hook_ops hook : priority = iptable_filter_hook = 0 struct nf_hook_ops = iptable_mangle_hook = -150

NF_INET_PRE_ROUTING ipv4_conntrack_in, iptable_mangle_hook, nf_nat_in. NF_INET_LOCAL_IN iptable_mangle_hook, iptable_filter_hook, nf_nat_fn, ipv4_confirm. NF_INET_FORWARD iptable_mangle_hook, iptable_filter_hook. NF_INET_LOCAL_OUT ipv4_conntrack_local, iptable_mangle_hook, nf_nat_local_fn, iptable_filter_hook. NF_INET_POST_ROUTING iptable_mangle_hook, nf_nat_out, ipv4_confirm.