基于Netfilter框架和IP Queue机制的轻量级网络防火墙实现

一般而言,要在Linux下开发防火墙的程序,需要对内核协议栈有深入的理解,并掌握内核协议栈代码的细节。这对普通开发者是非常有难度的。Netfilter是一个支持数据报过滤、数据报处理、NAT等功能的内核子系统框架。以Linux 2.6内核为基础。IP Queue机制是Linux内核在Netfilter框架的基础上提供的,是应用层上的机制,通过NetLink和内核进行交互,这使得开发一些用户态的防火墙应用成为可能。在此基础上,同时实现了一种基于Netfilter框架和IP Queue机制的轻量级防火墙。通过对比测试表明,由于设计清晰的模块架构、较强的可扩展性,本文实现的轻量级防火墙能够很好地达到实际要求,容易开发出更专业防火墙程序。

A Lightweight Network Firewall based on the Netfilter Framework and IP Queue Mechanism

In general,to develop a firewall program in Linux,it is required to have an in-depth understanding of the kernel protocol stack,and know the kernel protocol stack code’s details,which is very difficult to a general programmer.Netfilter framework is a sub system of the Linux kernel 2.4.it can be used to complete functions like data packets filtering,packets processing,NAT etc.Linux kernel 2.6 inherits this framework and improved it.This paper is based on the Linux kernel 2.6.IP Queue is based on Netfilter framework in Linux.It works on the application layer and communicates with kernel through NetLink,which could develop some firewall in the user space.On this basis,the paper designs a lightweight network firewall based on the Netfilter framework and IP Queue mechanism.By comparison test,it is indicated that due to clear module structure and strong scalability,the designed firewall could well reach the actual requirement and is easy to develop a more professional firewall program.