共3条
1/1 1 跳转至页
在Vxworks下实现NAT和Firewall[转帖]
Introduction
This paper details the concept of Network Address Translators (NAT) and firewalls and how they can be integrated in VxWorks.
TCP/IP stack in VxWorks
Wind River’s real-time operating system, VxWorks comes with a full-featured, BSD 4.4-compliant TCP/IP stack. It has complete routing support and is scalable, so developers can build products ranging from IP routing devices to full TCP/IP, SNMP-managed systems. Figure below shows the layered architecture of TCP/IP stack.
[upload=gif]UploadFile/200311241636324342.gif[/upload]
Working of the VxWorks' network stack
VxWorks allocates and initializes memory for the network stack at network initialization time. Out of this pre-allocated memory, the network stack uses the netBufLib routines to set up a memory pool. From this memory pool, the network stack gets the memory needed for data transfer.
The netBufLib routines deal with data in terms of mBlk structures, clBlk structures and clusters. The mBlk and clBlk structures provide information necessary to manage the data stored in clusters. The clusters, which come in different sizes, contain the data described by the mBlk and clBlk structures. By default, the VxWorks network stack creates six pools for clusters ranging in size from 64 bytes to 2048 bytes.
The mBlk structure is the primary vehicle through which you can access data in a memory pool. Because, the mBlk structure merely references the data, this lets network layers communicate data without actually having to copy the data. In addition, data can be chained using mBlks. Thus, you can pass an arbitrarily large amount of data by passing the mBlk at the head of an mBlk chain. Figure –2 shows the presentation of 2 packets to the TCP layer.
[upload=gif]UploadFile/2003112416364850259.gif[/upload]
Figure-2 Presentation of two packets to the TCP layer
To support chaining across multiple packets, the mBlk structure contains two members that support chaining. One member points to the next mBlk in the current packet. The other member points to the head mBlk in the next packet if any. The clBlk structure points to the cluster where the data is stored.
NAT and Firewall in VxWorks
The default TCP/IP stack that ships with VxWorks does not have firewalling and
network address translation capabilities. However, these features can be plugged into an existing TCP/IP stack in VxWorks.
Network Address Translators (NAT)
One of the most compelling problems facing the IP Internet is the depletion of IP addresses. Though there had been various solutions to overcome this catastrophe, the most promising among them has been the concept of "address reuse".
The address reuse solution is to place Network Address Translators (NAT) at the borders of stub domains. Each NAT box has a table consisting of pairs of local IP addresses and globally unique addresses. The IP addresses inside the stub domain are not globally unique. They are reused in other domains, thus solving the address depletion problem. The globally unique IP addresses are assigned according to current CIDR address allocation schemes.
To set up a NAT, one need to define which is the "internal" and the “external” interface. The "internal" interface is the network adapter connected to the network with private IP addresses, which needs to be changed for communicating with the Internet. The "external" interface is configured with a valid private (globally unique) Internet address.
For example, the internal interface might have an IP # of 10.1.1.1 and be connected to the Ethernet, whilst the external interface might be a PPP connection with an IP number of 216.103.197.12.
How NAT works?
NAT’s basic operation is as follows: At each exit point between a stub domain and a backbone, NAT is installed. When a host from within the stub domain wishes to communicate with a machine in the Internet, the NAT translates the private IP address of the local machine to its globally unique IP address.
[upload=gif]UploadFile/2003112416374418316.gif[/upload]
[align=right][color=#000066][此贴子已经被作者于2003-11-24 16:47:17编辑过][/color][/align]
关键词: Vxworks 实现 Firewall 转帖
In the scenario described in figure -3, when the local host sends a packet to a machine with the IP address 192.32.45.123, NAT replaces the source IP address in the packet (10.1.1.2), with its globally unique IP address (216.103.197.12) and transmits it. Since the source IP address has been modified in the packet, the response for this packet would be sent to the NAT. The NAT then replaces the destination IP address in the packet with the IP address of the local host and transmits the packet to the host in the stub domain. This address translation is totally transparent to the local host.
Network Address Port Translators (NAPT)
One of the drawbacks of the earlier solution is that the number of local machines that can be connected to the Internet simultaneously is limited to the availability of globally unique IP addresses in the NAT.
To overcome this limitation, the NAT can be extended further to enable port translations as well, apart from address translations. This is known as masquerading or Network Address Port Translation (NAPT).
In NAPT the port number of the local host in the TCP or UDP header is also translated before the packet is sent out of the stub domain to the Internet.
Consider the following scenario. Machine “Local Host A” from the local stub domain having an IP address of 10.1.1.2 sends a packet to a machine with 192.32.45.123 as its IP address. Let us assume that the local machine uses port 1034 to initiate a TCP session with the machine at 192.32.45.123. Hence the source port in the packet would be 1034 and the destination port number would be 80 (HTTP request).
Similarly, another machine from the local stub domain, say “Local Host B” with the IP address 10.1.1.3 initiates a TCP session to the machine at 192.32.45.123. Let the port that this machine uses to initiate this session be 1500. Hence the source port in the packet would be 1500 and the destination port number would be 80.
When the source address alone of both these packets is replaced with the unique IP address of the NAT (216.103.197.12), an ambiguity would arise while mapping the response packets. The NAT would not be able to determine whether the response packet is destined for “Local Host A” or for “Local Host B”.
To resolve this ambiguity, the source ports of the local machines are also translated before the packet is sent to the Internet. The port numbers that are used to replace the actual port numbers in the IP packet are unique for each session.
In the above scenario, the port number of “Local Host A” could be changed from 1034 to say 5001 and that of “Local Host B” could be modified to 5002. When the NAT receives the response packets, it would be able to determine by checking the destination port number in the IP packet. If the destination port number is 5001, the NAT could conclude that the packet was actually destined for “Local Host A”. Whereas if the destination port number in the response packet was 5002, the NAT could map the packet to “Local Host B” by replacing the destination IP address and the destination port number to 1034(the port number used by “Local Host B” to initiate this session).
Firewall
Any device that controls network traffic for security reasons can be called a firewall. A firewall puts up a barrier that controls the flow of traffic between networks. The most basic firewalls are built on routers and work in the lower layers of the network protocol stack. Packets are first checked and then either dropped or allowed to enter based on various rules and specified criteria.
Adding NAT and Firewall to the TCP/IP stack in VxWorks
To add NAT and firewall to an existing TCP/IP stack in VxWorks, one should manipulate IP packets at the exit point between a local stub domain and the Internet. IP packets can be captured by hooking into the TCP/IP stack.
The IP header and TCP/UDP headers can be stripped from the packet and checked against the firewall rules. Address translation needs to be performed on the packet before transmitting it to the Internet and before delivering it to the local network.
Packet capturing in VxWorks
VxWorks provides two hooks by which, we could capture packets in the network. These hooks are:
EtherHook
IpFilterHook
VxWorks provides two libraries using which these hooks could be implemented. The EtherHook can be implemented using etherLib and the IpFilterHook can be implemented using ipFilterLib.
EtherHook
The EtherHook provides direct access to raw Ethernet packets. Incoming and outgoing packets can be examined or processed using the hooks etherInputHookAdd() and etherOutputHookAdd().
etherInputHookAdd():
This function adds a routine to receive all Ethernet input packets.
Synopsis:
STATUS etherInputHookAdd()
(
FUNCPTR inputHook,
/*Routine to receive Ethernet input packets*/
Char* pName,
/*Name of device*/
Int uint
/*unit of device*/
)
his routine adds a hook routine (inputHook) that will be called for every Ethernet packet that is received.
The calling sequence of the input hook routine is:
BOOL inputHook
(
struct ifnet pIf,
/*interface packet was received on*/
char *buffer, /*received packet*/
int length
/*length of received packet*/
)
etherOutputHookAdd():
This function adds a routine to receive all Ethernet output packets.
Synopsis
STATUS etherOutputHookAdd
(
FUNCPTR outputHook
/*routine to receive Ethernet output*/
)
This routine adds a hook (outputHook) and this function would be called for every Ethernet packet that is transmitted. This routine is immediately called immediately before transmission.
The calling sequence of the output hook routine is:
BOOL outputHook
(
struct ifnet pIf,
/*interface packet will be sent on*/
char *buffer,
/* packet to transmit*/
int length
/*length of packet to transmit*/
)
After the processing the Ethernet packet, both the hook routines should either return true or false. The hook should return true if it has handled the packet and no further action should be taken with it. It should return false if normal processing of the packet should take place.
IpFilterHook
The IpFilterHook provides direct access to IP packets. The input hook can be used to receive, examine and process raw IP packets that are part of IP (Internet Protocol) protocols. This hook can be added using the IpFilterHookAdd() function that is provided in the ipFilterLib library.
ipFilterHookAdd():
Synopsis
STATUS ipFilterHookAdd
(
FUNCPTR IpFilterHook
/*routine to receive raw ip packets*/
)
This routine adds a hook routine that will be called for every IP packet that is received. The filter hook function will be executed in the context of tNetTask, which runs at priority 50.
The calling sequence of the filter hook routine is:
BOOL IpFilterHook
(
struct ifnet *pIf,
/*interface packet was received on*/
struct mbuf **pPtrMbuf,
/*pointer to pointer to an mbuf chain*/
struct ip **pPtrIpHdr,
/*pointer to pointer to IP header*/
int ipHdrLen
/* IP packet header length*/
The hook routine should return TRUE if it has handled the input packet and no further action should be taken with it. If returning TRUE the ipFilterHook is responsible for freeing the mbuf chain by calling m_freem(*pPtrMbuf). If the IpFilterHook returns false, normal IP processing continues i.e., options processing, IP checksum computation etc.
PtrIpHdr is a pointer to a pointer to a IP header. The pointer to the ip header is obtained by de-referencing pPtrIpHdr. The ip header is used to examine and process the fields in the ip header. The fields ip_len, ip_id and ip_offset in the ip header are converted to the host byte order from the network byte order before a packet is handed to the filter hook.
Our solution to NAT and Firewall
Given the two possible solutions for NAT in VxWorks, our solution to NAT and firewall is by using the IpFilterHook.
Why not EtherHook?
There are a couple of disadvantages in using the ether hook. They are:
Only certain VxWorks network drivers support ether hooks
Requires IP checksum adjustment: If ether hooks are used, the packet is manipulated below the IP layer. Hence the IP checksum has to be adjusted accordingly. This is not required if the ipFilterHook is used as the IP layer performs this IP checksum computation once the packet is returned to the IP stack from the hook routine.
Packet manipulation for NAT and Firewall
Once the hook routine gets the IP packet, the NAT should strip the IP header and the TCP/UDP headers from the packet. The protocol field in the IP header of the packet is used to determine whether it is a TCP or a UDP packet. Fire walling and address translation is performed based on the information obtained from the headers.
The NAT uses a mapping table to perform address translations. Whenever a machine in the local network initiates a new session is initiated, the NAT dynamically adds a new entry to the mapping table. This entry is used to perform address translation
A typical mapping table used for NAT would look like the following:
NAT Mapping Table
Real Src IP addr
Real Src port
Dest IP addr
Dest port
NAT IP addr
NAT port
Manipulating outgoing packets:
Since the firewall rules are based on local IP numbers, outgoing packets are checked against the firewall rules before performing address translation. If the firewall rules allow the packet to be transmitted, the local IP address (private IP address) is replaced by the globally unique IP address of the NAT and the source port number in the packet is replaced by a unique port number assigned by NAT for this session.
The NAT first checks the mapping table to find an entry corresponding to this session. If such a mapping exists, the NAT replaces the source IP address and the source port number in the packet with the “NAT IP address” and the “NAT port number” specified in this mapping entry. If such a mapping is not available for this session, NAT creates one and uses it for address translation. Since the IP address and the source port number have been modified in the packet, the TCP/UDP checksum has to be recomputed accordingly.
Manipulating incoming packets:
For an incoming packet, address translation is done before checking it against the firewall rules. The NAT looks for an entry in the mapping table by comparing the destination IP, destination port, NAT IP and NAT port in the mapping table with the source IP, source port number, destination IP and destination port number in the IP packet. NAT replaces the destination IP address in the packet with the “Real Src Ip addr” entry and the destination port number with the “Real Src port” entry. Since the destination IP address and the port number have been modified, the TCP/UDP checksum is adjusted before sending the packet to the appropriate host in the local domain.
Conclusion
Even though the Network stack in VxWorks lacks NAT and Firewall modules, we can add them using the filter hook. Our small footprint implementation of NAT and Firewall modules when tested performed well.
(The End)
共3条
1/1 1 跳转至页
回复
有奖活动 | |
---|---|
【有奖活动】分享技术经验,兑换京东卡 | |
话不多说,快进群! | |
请大声喊出:我要开发板! | |
【有奖活动】EEPW网站征稿正在进行时,欢迎踊跃投稿啦 | |
奖!发布技术笔记,技术评测贴换取您心仪的礼品 | |
打赏了!打赏了!打赏了! |
打赏帖 | |
---|---|
与电子爱好者谈读图二被打赏50分 | |
【FRDM-MCXN947评测】Core1适配运行FreeRtos被打赏50分 | |
【FRDM-MCXN947评测】双核调试被打赏50分 | |
【CPKCORRA8D1B评测】---移植CoreMark被打赏50分 | |
【CPKCORRA8D1B评测】---打开硬件定时器被打赏50分 | |
【FRDM-MCXA156评测】4、CAN loopback模式测试被打赏50分 | |
【CPKcorRA8D1评测】--搭建初始环境被打赏50分 | |
【FRDM-MCXA156评测】3、使用FlexIO模拟UART被打赏50分 | |
【FRDM-MCXA156评测】2、rt-thread MCXA156 BSP制作被打赏50分 | |
【FRDM-MCXN947评测】核间通信MUTEX被打赏50分 |