我安装了一个iptables模块来匹配Modbus协议,编译运行良好,我将.ko模块与命令insmod集成在一起,现在当我输入iptables -m modbus时,所有东西都很好,直到现在,但是当我试图执行一个iptables过滤,它没有工作
aa@ubuntu:~$ sudo iptables -A INPUT -p tcp -m modbus --unitid 11
iptables: Invalid argument. Run `dmesg' for more information.
aa@ubuntu:~$ dmesg
[ 3692.909462] ip_tables: modbus match: invalid size 0 != 40
我认为这是我的代码匹配功能中的一个问题,我查了一下,但我无法解决问题,我只是在MATCH中验证了我的数据包的TCP头:
/*
Triggers when a packet comes in matching the register match
*/
static int match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,int offset,
const void *hdr, u_int16_t datalen,
int *hotdrop)
{
const struct iphdr *iph;
const struct tcphdr *tcph;
u_int8_t tcplen;
/* Examine the TCP header, which is 32 bytes after the IP
header. "hdr" points to just after IP header */
const struct modbus_tcp *modbus;
const struct ipt_modbus *modbusinfo = matchinfo;
const struct modbus_data *data;
iph = ip_hdr(skb);
tcph = (void *)iph + iph->ihl*4;
/* TCP header length caluculation*/
tcplen = tcph->doff*4;
/* Match our structure to the data part */
modbus = hdr+tcplen;
/* If length is less then the total of IP and TCP header, that
should be part of three way handshake .. allow it */
if (ntohs(iph->tot_len) == 20+tcplen) {
if(modbusinfo->allow_tcp == 1)
return 1;
else
return 0;
}
else
{
/* Return the "OR"s of all the parameters given. If any
of the given parameters is true, the whole thing is true */
return (func_code_check(modbusinfo->funccode_flags,(modbus->modbus_d).func_code, modbusinfo->func_code[0],modbusinfo->func_code[1], modbusinfo->invflags_funccode) || unitid_check(modbusinfo->unitid_flags,(modbus->modbus_d).unit_id, modbusinfo->unit_id,modbusinfo->invflags_unitid) || refnum_check(modbusinfo->refnum_flags,(modbus->modbus_d).ref_num, modbusinfo->ref_num,modbusinfo->invflags_refnum) || length_check(modbusinfo->length_flags,(modbus->modbus_h).length, modbusinfo->length[0],modbusinfo->length[1], modbusinfo->invflags_length));
}
}