Reproduced Content: Understanding Web Article Sourcing and Its Implications

In order to better manage network traffic in the Linux system, kernel marks are used to identify network traffic. This results in user-level marks being used for multi-line load balancing, where the two types of marks overwrite each other and do not achieve the desired result. In this situation, research has found that the mark module can be extended to resolve this conflict.
  1 Analysis of Iptables Structure and Command Format
  1.1 Analysis of Iptables Structure
  Iptables is a tool provided by the Linux system for configuring firewalls. It offers a named rule set. In Linux, the core module of the iptables firewall is netfilter, which is responsible for maintaining the firewall’s rule chain and implementing the firewall’s security defense capabilities. Netfilter has three main functions: packet filtering, network address translation (NAT), and packet mangling (mangle). The function of the packet filtering module is to filter messages without modification, or to accept or reject them. NAT is network address translation, which is based on the connection tracking module, only matching and processing the first packet of each connection, and then handing it over to the connection tracking module to apply the processing result to all subsequent packets of the connection. Mangle is an iptable that belongs to packet content modification; modifiable packet contents include mark, TOS, TTL, etc. This module also has an interface for user space and kernel communication.
  1.2 Analysis of Iptables Command Format
  A simple rule can be described as denying all forwarded packets, which can be represented by the iptables command as: iptables -A FORWARD -j DROP. The iptables application converts command-line input into a format readable by the program, and then calls the iptc_commit() function provided by the libiptc library to submit the operation request to the kernel. It sets a struct ipt_replace structure to describe the information about the tables and HOOK points involved in the rule and then appends the current rule, a struct ipt_entry structure. After organizing this data, iptc_commit() calls the setsockopt() system call to initiate core processing of the request.
  2 Analysis of Netfilter Structure
  Netfilter is the kernel firewall framework in the Linux system, primarily performing packet filtering, connection tracking, and address translation functions, serving as the foundation of the firewall. It mainly works through tables and chains. In netfilter, each network protocol has its own set of hook functions. When the datagram passes through several critical points in the protocol stack, hook functions are called, passing hook function identifiers and protocol stack datagrams as parameters to the netfilter framework. Its main framework is shown in Figure 1:
  3 Analysis of Related Modules and Attributes for Netfilter and Iptables
  3.1 Structures Related to Netfilter
  A major conceptual revision of Netfilter is designing it as a protocol-independent framework, reflected in the establishment of a separate net/netfilter directory in the kernel structure tree, where matching and target module file names begin with “xt_”.
  To be compatible with iptables, these files have been given a new macro definition: module_alias, to represent module aliases. All extension programs’ names also begin with xt.
  Netfilter extension program framework:
  Xt_kzmark.c:
  Static unsigned int kzmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
  Static int kzmark_tg_check(const struct xt_tgchk_param *par)
  Static void kzmark_tg_destroy(const struct xt_tgdtor_param *par)
  Static bool kzmark_mt(const struct sk_buff *skb, struct xt_action_param *par)
  Static int kzmark_mt_check(const struct xt_mtchk_param *par)
  Static void kzmark_mt_destroy(const struct xt_mtdtor_param *par)
  Static struct xt_target kzmark_tg_reg __read_mostly = {}
  Static struct xt_match kzmark_mt_reg __read_mostly = {}
  Static int __init kzmark_mt_init(void)
  {int ret;
  Need_ipv4_conntrack();
  ret = xt_register_target(&kzmark_tg_reg);
  ret = xt_register_match(&kzmark_mt_reg);}
  Static void __exit kzmark_mt_exit(void)
  {xt_unregister_match(&kzmark_mt_reg);
  xt_unregister_target(&kzmark_tg_reg);}   Module_init(kzmark_mt_init);
  Module_exit(kzmark_mt_exit);
  3.2 Extensions Related to Iptables
  Iptables is an application that allows users to configure stateful firewalls. Its implementation is done by extensions, similar to plugins, which can effectively extend the functionality of iptables. Iptables are integrated modularly, with all functionalities implemented in modules. For example, a simple configuration item is: -m state, where -m is a match, and state is a module of the match. For the -m match, there are many other optional modules. In the iptables structure, modules and module names are related. The iptables code for this extension, libxt_kzmark.c, libxt_KZMARK.c, must be placed in the extension folder.
  Program framework of the match module:
  Libxt_kzmark.c:
  Static const struct option kzmark_opts[] = {};
  Static void parse_range(const char *arg, struct xt_kzmark_mtinfo *si)
  Static int kzmark_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_match **match)
  Static void kzmark_print(const void *ip, const struct xt_entry_match *match, int numeric)
  Static void kzmark_save(const void *ip, const struct xt_entry_match *match)
  Static struct xtables_match kzmark_match = {// Todo something};
  Void _init(void)
  {Xtables_register_match(&kzmark_match);}
  4 Program Usage and Effects
  Use of kzmark:
  Iptables -A INPUT -d 192.168.1.11/32 -m kzmark -j DROP
  Use of KZMARK:
  Iptables -A INPUT -d 192.168.1.11/32 -j KZMARK –set-mark 3000
  Testing on the above modules showed favorable results. Netfilter/iptables can extend new match modules well, but require users to write programs in a certain way, focusing attention on the specific implementation of functionality without considering other factors. In the actual implementation, modification is based on ready-made match modules, allowing completion of coding without understanding the internal structure definitions, making netfilter/iptables a good example of modular program implementation worth promoting.