Filtering Application Protocols in Linux

Question

I am trying to implement a mini firewall on my Linux machine that filters different layer protocols. So far, I have been successful in filtering packets up to the TCP layer using Netfilter. However, I am now trying to filter application protocols(Deep packet inspection), and I am facing issues.

I have tried using Netfilter to parse the TCP/UDP payload, but I am not able to get the content of the packets, It always shows the payload as 0 but in Wireshark I can see some data. I want to filter the packets before they enter the application layer.

Are there any other approaches to filtering application protocols in Linux that I can use in addition to Netfilter?

Program I tried to get the HTTP data: Unable to parse HTTP packet using netfilter hooks in kernel module

Answer 1

I test and write this code by using libpcap in C to capture and filter HTTP packets.

In Linux(Ubuntu 20.04) first install libpcap :

sudo apt install libpcap-dev 

Here's an example:

#include <stdio.h>
#include <pcap.h>

void process_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet);

int main(int argc, char *argv[]) {
    char errbuf[PCAP_ERRBUF_SIZE];
    pcap_t *handle;
    struct bpf_program fp;
    bpf_u_int32 net, mask;

    // Step 1: Open the capture device
    handle = pcap_open_live("wlp5s0", BUFSIZ, 1, 1000, errbuf);
    if (handle == NULL) {
        fprintf(stderr, "Error opening device: %s\n", errbuf);
        return -1;
    }

    // Step 2: Compile and set the filter expression
    if (pcap_lookupnet("eth0", &net, &mask, errbuf) == -1) {
        fprintf(stderr, "Error getting netmask: %s\n", errbuf);
        net = 0;
        mask = 0;
    }

    if (pcap_compile(handle, &fp, "tcp port 80", 0, net) == -1) {
        fprintf(stderr, "Error compiling filter: %s\n", pcap_geterr(handle));
        return -1;
    }

    if (pcap_setfilter(handle, &fp) == -1) {
        fprintf(stderr, "Error setting filter: %s\n", pcap_geterr(handle));
        return -1;
    }

    // Step 3: Capture and process packets
    pcap_loop(handle, -1, process_packet, NULL);

    // Step 4: Cleanup
    pcap_freecode(&fp);
    pcap_close(handle);

    return 0;
}

void process_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) {
    printf("Received packet with length %d\n", header->len);

    // TODO: Parse the packet and extract the HTTP headers and content
}

Note:

I check ifconfig -a and put wlp5s0 you can add eth0 or others.

Answer 2

I discovered that Wireshark is able to decode HTTP packets, which explains why I can view the HTTP content in Wireshark but not in my program. Therefore, I will attempt to decode the HTTP from my program and have updated the code to print the HTTP data.

#include <linux/module.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/ip.h>
#include <linux/tcp.h>

#define PTCP_WATCH_PORT 80 /* HTTP port */

static struct nf_hook_ops nfho;
/* dump packet's data */
static void pkt_hex_dump(struct sk_buff *skb)
{
    size_t len;
    int rowsize = 16;
    int i, l, linelen, remaining;
    int li = 0;
    uint8_t *data, ch;
    struct iphdr *ip = (struct iphdr *)ip_hdr(skb);

    printk("Packet hex dump:\n");
    data = (uint8_t *)ip_hdr(skb);

    len = ntohs(ip->tot_len);

    remaining = len;
    for (i = 0; i < len; i += rowsize)
    {
        printk("%06d\t", li);
        linelen = min(remaining, rowsize);
        remaining -= rowsize;
        for (l = 0; l < linelen; l++)
        {
            ch = data[l];
            printk(KERN_CONT "%02X ", (uint32_t)ch);
        }
        data += linelen;
        li += 10;

        printk(KERN_CONT "\n");
    }
}
static unsigned int ptcp_hook_func(const struct nf_hook_ops *ops,
                                   struct sk_buff *skb,
                                   const struct net_device *in,
                                   const struct net_device *out,
                                   int (*okfn)(struct sk_buff *))
{
    struct iphdr *iph;   /* IPv4 header */
    struct tcphdr *tcph; /* TCP header */
    u16 sport, dport;    /* Source and destination ports */
    u32 saddr, daddr;    /* Source and destination addresses */

    /* Network packet is empty, seems like some problem occurred. Skip it */
    if (!skb)
        return NF_ACCEPT;

    iph = ip_hdr(skb); /* get IP header */

    /* Skip if it's not TCP packet */
    if (iph->protocol != IPPROTO_TCP)
        return NF_ACCEPT;

    tcph = tcp_hdr(skb); /* get TCP header */

    /* Convert network endianness to host endiannes */
    saddr = ntohl(iph->saddr);
    daddr = ntohl(iph->daddr);
    sport = ntohs(tcph->source);
    dport = ntohs(tcph->dest);

    /* Watch only port of interest */
    if (sport != PTCP_WATCH_PORT)
        return NF_ACCEPT;

    printk("print_tcp: %pI4h:%d -> %pI4h:%d\n", &saddr, sport,
           &daddr, dport);

    pkt_hex_dump(skb);

    return NF_ACCEPT;
}

static int __init ptcp_init(void)
{
    int res;

    nfho.hook = (nf_hookfn *)ptcp_hook_func; /* hook function */
    nfho.hooknum = NF_INET_PRE_ROUTING;      /* received packets */
    nfho.pf = PF_INET;                       /* IPv4 */
    nfho.priority = NF_IP_PRI_FIRST;         /* max hook priority */

    res = nf_register_net_hook(&init_net, &nfho);
    if (res < 0)
    {
        printk("print_tcp: error in nf_register_hook()\n");
        return res;
    }

    printk("print_tcp: loaded\n");
    return 0;
}

static void __exit ptcp_exit(void)
{
    nf_unregister_net_hook(&init_net, &nfho);
    printk("print_tcp: unloaded\n");
}

module_init(ptcp_init);
module_exit(ptcp_exit);

MODULE_DESCRIPTION("Module for printing HTTP packet data");
MODULE_LICENSE("GPL");

Program output

wireshark logs: