Chapter 1 Introduction
This thesis describes the development of PacketScript, a framework that enables to filter and to manipulate network packets using the Lua scripting environment inside the Linux kernel. Filtering and manipulating network packets are important building blocks of today’s computer networks. These are used to set up firewalls and to connect different computer net-works using NAT (Network Address Translation). For Linux based computers, Netfilter provides a modular extensible system inside the Linux kernel for intercepting and manip-ulating network packets. Various disciplines in Linux network programming such as the development of new network protocols extend Netfilter for debugging and testing. How-ever, Linux kernel development is a difficult process, especially when it comes to testing and debugging of the new kernel’s functionality.
1.1 Problem Description
In this thesis we will answer the question of how Lua can be embedded in Netfilter and show how Lua can be used inside Netfilter. More specifically we show how to load and unload Lua scripts, as well as how a Lua script accesses and modifies the different protocol headers and their fields. In order to demonstrate our design, we have successfully implemented a prototype of PacketScript.
1.2 Related Work
Kernelspace Lua. There are currently two projects focussing on porting Lua to the Linux kernel. Luak [3] aims at extending the kernel by loading a Linux kernel module. The project mainly contains one diff-file, which is used to patch the Lua sources. The patch is quite simple, thus basically patching function calls not being available within the Linux kernel.
A more elaborate project is Lunatik, which extends the kernel by patching parts of the kernel, for example adding a new system call.
1.3 Thesis Outline
Chapter 1 sets the scope of the master thesis as well as points the reader to related work. In Chapter 2 we provide an overview of the Lua scripting environment and the development of Netfilter modules. Our main contribution the design and implementation of the PacketScript prototype is described in Chapter 3. This prototype is then used for performance evaluations, which are described and discussed in Chapter 4. Finally, in Chapter 5 we conclude this report.
Chapter 2 Background
In this chapter we provide background information about the technologies used in this project. While there are several books, papers, and presentations explaining these technolo-gies in-depth, we provide some general information and point the reader to the different references for further reading. Section 2.1 shortly describes the Netfilter framework as well as how it can be extended.
Section 2.2 introduces the Lua scripting environment.
2.1 Netfilter
Netfilter is the component of the Linux kernel that is used when the network traffic needs to be inspected and/or manipulated. More specifically, Netfilter inserts five hooks into the networking stack (see Figure 2.1):
• PREROUTING: All packets traverse this hook. It is called before any routing decision is made, but after all IP header sanity checks have succeeded. Typically, Port Address Translation (PAT), the redirection of packets, as well as Destination Network Address Translation (DNAT) are implemented in the PREROUTING hook.
2.1.1 Userspace Plugin
The word “plugin” implies that there is a userspace application to be extended. In the case of PacketScript, the userspace tool iptables is extended by the PacketScript userspace plugin.
This is necessary in order for iptables to load the corresponding LKM into memory as well as for knowing the proper format to copy the provided parameters from userspace to the LKM. Additionally, the plugin may provide functionality for validating the parameters and for presenting information on the command line about the usage of the module. Xtables-addons also simplifies the development of the userspace plugin.
2.1.2 Linux Kernel Module
Once a rule is validated by the userspace plugin, the data is copied from userspace to the LKM. The LKM provides a checkentry function being invoked whenever data has been copied to the LKM. Usually, this function does additional validation and some initialization work.
For calling the checkentry function the LKM must already be loaded. Loading and unloading is normally done by some userspace tools, such as for example modprobe, rmmod ; or in the Netfilter case, iptables may automatically load the LKM. The LKM provides a module_init function, which is automatically called when the LKM is loaded.
2.2 Lua
Lua is an imperative scripting language released under the MIT license (since version 5.1). It comes with a lightweight script interpreter written in ANSI C that can be easily embedded in every C program. This enables that an application can be partially programmed in Lua. The Lua scripts used can be modified without recompiling the whole application, thus enabling a rapid development process. A very simple use case is the configuration of a program by a Lua script. More sophisticated is the ability to write a whole part of an application in Lua.
Several professional applications, such as Adobe Lightroom or Blizzard’s World of Warcraft, are partly developed in Lua [19].
2.2.1 Metatables
As mentioned before, Lua has some very expressive language constructs. One of these constructs are metatables and its corresponding metamethods. Such metatables provide some “type”-features to Lua tables, typically only available for numbers and strings. Such features are arithmetic and relational operators, but also concatenation as well as methods to obtain the size and string representation of a variable. Using metatables it is possible to define these operators also for Lua tables. It is quite useful to have such operators for tables, but they are mainly syntactical sugar to simplify the development. Besides these “common” operators, Lua provides a way to influence the normal behavior of a table during the query and modification of absent fields.
2.2.2 C API
Lua is designed to be embedded in C or C++ applications, but it was also used to extend software developed in Java, C#, Smalltalk, Fortran, Ada and Erlang. Lua offers the devel- oper a rich API enabling a strong integration with code written in other languages. Lua manages a global stack being used for transferring parameters between Lua and C functions As a result, Lua provides simple functions to push and pop most common C data types Furthermore, calling Lua functions from C is also done using the stack.
…….
A Lua scripting engine for in-kernel packet processing (886 Ko) (Cours PDF)