Results 1 to 2 of 2

Thread: Functions of kernel in Linux network

  1. #1
    Join Date
    Jul 2010
    Posts
    93

    Functions of kernel in Linux network

    The purpose of this guide is to explore the various networking options offered by the Linux kernel. The network hardware independent functions (protocol stacks, list of filters, etc..) Are grouped into the Networking and Networking Options menu. The network device drivers are available from menus and then Device Drivers Network device support.


    1. Packet Socket

    This feature is used to receive and send raw packets on the network devices without passing through a network protocol implemented in the kernel. Some programs, such as tcpdump, use this option. The term "socket" means the programming interface through which we will be able to access network resources from the nucleus. Creating an interface "socket" is performed by the system call as follows:

    Code:
    int socket ( family type, Protocol ) ; 	
    
    int family ; 
    int type ; 
    int protocol ;
    The 'family' is used to identify with any network protocol you want to work. All obtainable families is listed in the file /usr/include/linux/socket.h. Types define the transport protocol (TCP or UDP). A new socket family associated with this feature is available as well, namely AF_PACKET.


    IO mapped

    This option uses a mechanism of input-output faster.

    Example 1. Using the packet socket

    Code:
    Stdio.h
     # Include <sys/socket.h>
     # Include <sys/ioctl.h>
     # Include <net/if.h>
     # Include <linux/if_ether.h>
     # Include <linux/if_packet.h>
    
     main ()
     (
    
     int sock_fd;
     struct sll sockaddr_ll;
     struct ifreq ifr;
     char buffer [2000];
     int nb_octet;
    
     if (sock_fd = socket (AF_PACKET, SOCK_RAW, htons (ETH_P_ALL)) == -1) (
    		 printf ("Error creating socket \ n");
    		 return-1;
    	 )
    
     memset (& ifr, 0, sizeof (ifr));
     strncpy (ifr.ifr_name, "eth0", sizeof (ifr.ifr_name));
    
     if (ioctl (sock_fd, SIOCGIFINDEX, & ifr) == -1) (
    		 printf ("Error in the search index \ n");
    		 return -1;
    	 )
    
     memset (& sll, 0, sizeof (sll));
     sll.sll_family = AF_PACKET;
     sll.sll_ifindex = ifr.ifr_ifindex;
     sll.sll_protocol = htons (ETH_P_ALL);
    
     if (bind (sock_fd, (struct sockaddr *) & sll, sizeof (sll)) == -1) (
    		 printf ("Error with bind \ n");
    		 return -1;
    	 );
    
    	 nb_octet = recvfrom (sock_fd, buffer, sizeof (buffer), 0, NULL, 0);
    	 printf ("Number of bytes received:% d \ n", nb_octet);
     )

    2. Kernel / User netlink socket

    Kernel / User netlink socket: Sets a new socket family, AF_NETLINK. This socket allows for bidirectional communication between the kernel and user space. This option is required to use the tool iproute2 which allows the configuration of the network portion of the nucleus. In addition to this socket, communication can also be achieved for a user process, by reading or writing files special characters. These are special files major number 36 and are in the directory /dev .


    Routing Messages

    The kernel provides routing information via the file /dev/route with major number 36 and minor number 0.


    Netlink device emulation

    Allows compatibility with older features. Option led to disappear.


    3. Socket Filtering

    This feature allows, in user-mode programs, setting up filters at the sockets. It has the ability to authorize or prohibit the types of data through a socket. This feature is derived from the Berkeley Packet Filter.

  2. #2
    Join Date
    Jul 2010
    Posts
    93

    Re: Functions of kernel in Linux network

    4. Unix domain socket

    Allows management of domain sockets UNIX . X-windows and syslog are examples of programs that use this type of functionality. Sockets UNIX only allow local calls on a machine. This type of socket is bound to create a file. The family name associated with the Unix domain socket is AF_UNIX.

    Example 2. Using the UNIX socket

    Code:
    Stdio.h
     Stdlib.h
     # Include <errno.h>
     # Include string.h
     # Include <sys/types.h>
     # Include <sys/socket.h>
     # Include <sys/un.h>
    
     int main (void)
     (
         socket_unix int len;
         struct sockaddr_un local
    
         if ((socket_unix = socket (AF_UNIX, SOCK_STREAM, 0)) == -1) (
             perror ("socket");
             exit (1);
         )
    
         local.sun_family = AF_UNIX;
         strcpy (local.sun_path, "/ tmp / test_socket_unix");
         unlink (local.sun_path);
         len = strlen (local.sun_path) + sizeof (local.sun_family);
    
         if (bind (socket_unix, (struct sockaddr *) & local, len) == -1) (
             perror ("bind");
             exit (1);
         )
    
         system ("ls-l / tmp /");
    
         unlink (local.sun_path);
         return 0;
     )

    5. TCP / IP networking
    1. Multicasting

      Allows you to send packets to several computers simultaneously. This functionality is, for example, used for streaming audio and video.
    2. Advanced Router

      By default, the routing decision is made by examining the destination address. By enabling this option can be controlled much more precisely and routing decision may be based on many other criteria.

      policy routing

      Allows the replacement of conventional routing table, based on destination addresses, for the Database Policy Routing and Routing Policy Database (DPSP). This database is an ordered list of rules that scan certain packet characteristics:
      • source address
      • destination address
      • TOS
      • mark the packet
      • input interface


      If a packet meets the specifications for a rule, then the corresponding action is performed. The standard action is to provide the IP address of the next jump.

      Example 3. Example of NAT

      Consider a router with a side LAN 192.168.1.0/24 and the other a public network ( 200.200.200.0/24 for example) with Internet connectivity. We want a machine on the LAN ( 192.168.1.1 , for example) is recognized with the address 200.200.200.10 on the Internet.

      Code:
      $ ip route add nat 200.200.200.10 via 192.168.1.1
       $ ip rule add prio 300 from 192.168.1.1 nat 200.200.200.10
      Equal cost multipath

      With this option, you can specify several alternative routes that can take the packages. The router considers all these roads as being of equal costs and chooses one of them in a non-deterministic if a packet arrives with good correspondence.

      Example 4. Example of multiple paths

      Consider a router with two PPP links. It is hoped that outgoing packets can use either ppp0 or ppp1 interface as default route.

      Code:
       $ ip route add default scope global nexthop dev ppp0 nexthop dev ppp1
      use TOS value as routing key

      The header of an IP packet contains an 8-bit field named Type Of Service (Service Type). In this field, there are three indicators to identify the type of delivery desired: Time Low (low latency), high throughput and high reliability. This allows to choose between, for example, a satellite broadband connection but with a long waiting period or a leased line with low throughput and low delay. This option uses the value of the TOS field in the list of rules.

      Example 5. Example of usage of the TOS field when routing

      Purpose: all packets marked with TOS "high flow" (0x08) (eg data transfer via FTP) must take an ISDN link.

      Code:
       $ ip rule add tos 0x08 prio 100 table 10
       $ ip route add default dev ippp0 table 10
      verbose route monitoring

      Allows the display of messages about routing.

      large routing tables

      If the routing table has more than 64 entries, it is preferable to select this option to accelerate the routing process.
    3. Kernel Level Autoconfiguration
      This option lets you configure the IP addresses of devices at boot time, and the routing table. The information required for this configuration are provided either on the command line or via DHCP, BOOTP or RARP. Information is provided via the kernel parameter ip . This option is mainly used for setting up client workstations without hard drive and need to mount the root filesystem via NFS. For more information, see the file Documentation/nfsroot.txt in the kernel sources.

      Example 6. Example of IP configuration at startup

      Code:
      LILO: linux ip = 192.168.1.1:: 192.168.1.254:255.255.255.0: linuxbox: eth0: none
    4. Optimize as router not host
      Deletes certain checks when the kernel receives a packet. Where Linux is mainly used as a router, that is to say, a machine that does that forward packets, it improves the switching speed.
    5. Tunneling
      Tunneling allows the encapsulation of a network protocol to another network protocol. This option allows the encapsulation of IP in IP. This can be used if you want to be able to connect two networks with private addresses, so they are not routable through the Internet.
    6. GRE tunnels over IP
      GRE is a tunneling protocol that was originally developed by Cisco, and it can do more things than IP in IP tunnel. For example, may have also transport multicast traffic and IPv6 through a GRE tunnel.
    7. TCP Explicit Congestion Notification support
      Feature that allows routers to announce customers with network congestion.
    8. TCP syncookie support
      Prevents an attack called SYN flooding.
    9. Allow large windows (not recommended if <16 MB of memory)
      Sets larger buffers in which data is stored before being sent to the destination host.
    10. Network packet filtering (replaces ipchains)
      This option activates the packet filter through the Linux machine. Filtering allows selective blocking of IP traffic based on, for example, origin or destination.

      Netfilter Configuration - Allows you to enter a new menu for configuring the filter. This allows the addition of features here is a list of the most important:
      • Connection tracking (required for masq / NAT)
        This option allows you to implement stateful filtering said. This technique keeps in memory, in a state table, a trace of "communication in progress." This helps differentiate the traffic between hosts peers in transmission and reception. This option is essential for the use of address translation mechanisms.
      • Connection mark tracking support
        This option enables support for the marking of papers. This support is necessary for the selection criterion connmark and the target CONNMARK.
      • IP tables support (required for filtering / masq / NAT)
        This option allows the establishment of the general structure for filtering, masking or address translation of packets.
      • limit match support
        Limits the flow according to a rule of correspondence.

        Example 7. Limiting ICMP

        Purpose: To limit the queries "pings" to 1 packet per second.
        Code:
        # iptables-A INPUT-p icmp-icmp-type echo-request-m limit - limit 1/second-j ACCEPT
      • IP range match support
        Allows you to specify a range of source or destination addresses.

        Example 8. Visiting a range of source IP addresses

        Purpose: To agree to forward all packets whose source address is between 192.168.1.1 and 192.168.1.10
        Code:
        # iptables-A FORWARD-m iprange - src-range 192.168.1.1-192.168.1.10-j ACCEPT
        Example 9. Visiting a destination IP address range

        Purpose: To agree to forward all packets whose destination address is between 192.168.1.1 and 192.168.1.10
        Code:
        # iptables-A FORWARD-m iprange - dst-range 192.168.1.1-192.168.1.10-j ACCEPT
      • MAC address match support
        Allows filtering based on MAC addresses of Ethernet frames.

        Example 10. Packet filtering on MAC address

        Purpose: to prevent the packets from a specific MAC address.
        Code:
        # iptables-A INPUT-m mac - mac-source 00: A0: 24: A0: A4: 11-j DROP
      • Packet type match support
        Lets look at the package type: unicast, multicast or broadcast.

        Example 11. Logging broadcast packets

        Code:
         # iptables-A INPUT-m pkttype - pkt-type broadcast-j LOG
      • netfilter MARK match support
        Allows filtering based on the brand of a package. Marking a packet is achieved through the MARK target.

        Example 12. Packet filtering after tagging

        Purpose: To prohibit the packets destined for the local web server using the packet marking.
        Code:
         # iptables-A PREROUTING-t mangle-p tcp - dport 80-j MARK - set-mark = 2
         # iptables-A INPUT-m mark - mark 2-j DROP
      • Multiple port match support
        Allows you to specify a set of source ports or destination TCP or UDP.

        Example 13. Packet filtering on multiple source ports

        Purpose: To prohibit the access to source ports 3000 and 4000.
        Code:
        # iptables-A INPUT-p tcp-m multiport - source-port-j DROP 3000.4000
      • TOS match support
        Allows filtering based on the value of the TOS field of the packet.

        Example 14. Example of filtering based on the value of the TOS field

        Goal: To mark packets that have the TOS Minimize-Delay enabled. This marking can then be used for routing packets.
        Code:
         # iptables-t mangle-A PREROUTING-m tos - tos Minimize-Delay-j MARK - set-mark = 1
      • recent match support
        Based filtering allows for the presence of an address in a list.

        Example 15. Example of filtering based the presence of an address in a list

        Purpose: FIXME
        Code:
        # iptables-A FORWARD-m recent - rcheck - seconds 60-j DROP
         # iptables-A FORWARD-i eth0-d 127.0.0.0 / 8-m recent - set-j DROP
      • ECN match support
        The RFC3168 defined a mechanism for congestion notification. This mechanism uses bits 7 and 8 of the Type Of Service field and the IPv4 header and defined two new flags in the TCP header. These flags are names for Congestion Window Reduced CWR and ECE for ECN-Echo.

        Example 16. Example of filtering based

        Purpose: FIXME
        Code:
        # iptables
      • LENGTH match support
        Allows filtering based on the length, in bytes, the IP packet.

        Example 17. Example of filtering based on packet length

        Goal: Delete the ICMP echo-request type which have a length greater than 84 bytes
        Code:
        # iptables-A FORWARD-p icmp - icmp-type echo-request-m length - length!  : 84-j DROP
      • tcpmss game support
        Allows filtering based on the value of the option MSS Maximum Segment Size of TCP transport protocol.

        Example 18. Example of filtering based on the MSS option

        Purpose: Allow packet transmission with TCP MSS is less than 1400.
        Code:
        # iptables-A OUTPUT-o ppp0-p tcp-m tcpmss - mss 0:1400-j ACCEPT
      • Connection tracking match support
        Enable the module selection criterion conntrack. This option allows greater granularity in tracking research communication.

        Example 19. Example of packet filtering by using the following advanced communication

        Purpose: To allow packets belonging to a TCP connection established.
        Code:
        # iptables-A FORWARD-m conntrack - ctstate ESTABLISHED, RELATED - j ACCEPT tcp-ctproto
      • Owner match support
        Allows filtering based on the identifier of the local process that created the package. This option can be used in the OUTPUT chain.
      • Physdev game support
        In the case where the machine is configured as a bridge between two Ethernet networks, this option identifies the physical interface on which packets arrive, or they must leave.

        Example 20. Example of filtering based on the physical interface output packets

        Purpose: Record the outgoing packets on interface eth0 for an ethernet bridge.
        Code:
        # iptables-A FORWARD-m physdev - physdev-out eth0-j LOG - log-level 7
      • Full NAT
        This option enables support for source address translation (SNAT) and destination (DNAT).

        Suboption MASQUERADE target support enables the use of masquerading as a translator of source address.

        Suboption REDIRECT target support enables the redirection of packets to the local machine. This target is used in the establishment of transparent proxies.

        Suboption NETMAP target support enables the target NETMAP. This target can redirect traffic destined for hosts on a network to hosts on another network.

        Suboption SAME target support enables the target SAME. This target can handle the special case of a translation source address translation where multiple addresses may be used. With this target, it ensures that the same source address will be used for all packets of the same call.

        Example 21. Example of source address translation

        Purpose: Hide the source address of outgoing packets on interface eth0 with address 200.200.200.1 .
        Code:
        # iptables-t nat-A POSTROUTING-o eth0-j SNAT - to 200.200.200.1

Similar Threads

  1. Want to know about 2.6 Kernel in Linux
    By mewlyo in forum Operating Systems
    Replies: 4
    Last Post: 26-12-2010, 08:53 AM
  2. The kernel and its configuration in Linux
    By Bruno007 in forum Tips & Tweaks
    Replies: 5
    Last Post: 04-12-2010, 06:28 AM
  3. Printer with 3 functions in linux
    By Chilton in forum Hardware Peripherals
    Replies: 4
    Last Post: 30-03-2009, 12:22 PM
  4. Download Linux kernel 2.6.28
    By Calvin K in forum Operating Systems
    Replies: 2
    Last Post: 26-12-2008, 07:12 PM
  5. Linux Kernel 2.6.27 released
    By Projectkmo in forum Operating Systems
    Replies: 2
    Last Post: 13-10-2008, 03:19 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,647,507.66566 seconds with 17 queries