GitHub - zdianjiang/netfilter_url_l7_filtering: Netfilter userland plugin for L7 URL filtering (school project, not for real-life use!)

zdianjiang / netfilter_url_l7_filtering Public

Notifications You must be signed in to change notification settings
Fork 2
Star 0

Netfilter userland plugin for L7 URL filtering (school project, not for real-life use!)

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 72 Commits
base		base
presentation		presentation
report		report
COPYING		COPYING
Makefile		Makefile
README		README
classifier.cc		classifier.cc
classifier.h		classifier.h
conntrack.cc		conntrack.cc
conntrack.h		conntrack.h
packet.cc		packet.cc
packet.h		packet.h
queue.cc		queue.cc
queue.h		queue.h
rules.example		rules.example
urlfilter.cc		urlfilter.cc

Repository files navigation

An url-based http/ftp filtering extension for NetFilter.

Licensing:
  This program is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 2 of the License, or
  (at your option) any later version.

  It is based on code from the following projects:
    libnetfilter-queue (svn-r7519), released under GPLv2 license
    libnetfilter-conntrack (svn-r7519), released under GPLv2 license
    l7-filter (userspace-0.4), released under GPLv2 license
    google-perftools (0.79), released under modified BSD license
    google-psvm (1.0), released under Apache License 2.0
    boost library, released under Boost Software License

  All third-party code used in this program is either licensed in GPLv2 by the
  author, or released with a GPLv2-compatible license.

Authors:
  This program was written by S. Jacob, J. Whitbeck and V. Zanotti as part of
  an university project at TELECOM ParisTech (http://www.enst.fr/).

Purpose:
  This program offers url filtering capabilities for http and ftp connections.
  Based on the NFQUEUE netfilter mechanism, it can intercept, parse, and
  classify http and ftp connections using user-defined rules.

  Although the classifier will resist to many bypass tricks (such as packet
  fragmentation), it was not designed to handle tcp packet re-ordering, and
  bypass by using HTTP's KeepAlive connections.

Dependencies:
  libnetfilter-queue (http://www.netfilter.org/projects/libnetfilter_queue/)
  libnetfilter-conntrack (http://www.netfilter.org/projects/libnetfilter_conntrack/)
  in-kernel support for nf_conntrack, nfnetlink, nfnetlink_queue, and nf_conntrack_netlink
  kernel >= 2.6.18
  google-gflags (http://code.google.com/p/google-gflags/)
  Boost regex library

  How to install dependencies on Debian:
    apt-get libnetfilter-conntrack-dev libnetfilter-queue-dev libboost-regex-dev
    wget http://google-gflags.googlecode.com/files/libgoogle-gflags-dev_0.8-1_i386.deb
    wget http://google-gflags.googlecode.com/files/libgoogle-gflags0_0.8-1_i386.deb
    dpkg -i libgoogle-gflags-dev_0.8-1_i386.deb libgoogle-gflags0_0.8-1_i386.deb

  How to install dependencies on Fedora Core:
    yum install libnetfilter_conntrack-devel libnetfilter_queue-devel boost-devel
    wget http://google-gflags.googlecode.com/files/gflags-devel-0.8-1.i386.rpm
    wget http://google-gflags.googlecode.com/files/gflags-0.8-1.i386.rpm
    yum --nogpgcheck localinstall gflags-devel-0.8-1.i386.rpm gflags-0.8-1.i386.rpm

  How to install dependencies on Gentoo:
    echo "dev-cpp/gflags ~amd64" >> /etc/portage/package.keywords
    emerge -va net-libs/libnetfilter_queue net-libs/libnetfilter_conntrack dev-cpp/gflags dev-libs/boost

Urlfilter configuration / usage:
  Basically, it should be used as "urlfilter --rules <path/to/the/rules>".
  Rules are each written on their own line; lines starting with "#" are comments.
  The basic rule format is:
    mark=<mark> proto=<ftp|http> [method=<method> | method_re=<method regex>] [url=<url regex> | url_maxsize=<size>]

  Where:
    - regex are standard unix regex (ex: ^.*\.pdf^ to match pdf urls);
    - method is the method used in the protocol (GET/POST/PUT/...);
    - when url_maxsize is used, urls whose size is above this size will be marked;
    - mark is the NFQUEUE mark that will be put on packets, for later use by iptables (cf. infra).

  See rules.example for examples of rules.

Netfilter/iptable configuration example:
  A basic iptables configuration could be:
    # Redirects all packets to and from port 80 to the urlfilter.
    iptables -A FORWARD -m tcp -p tcp --dport 80 -j NFQUEUE --queue-num 0
    iptables -A FORWARD -m tcp -p tcp --sport 80 -j NFQUEUE --queue-num 0

    # Matches mark on post-filter (let us suppose that 0-2 is no match,
    # 3 is url above 255 chars, and 4 is url ending with .pdf).
    # We have to use a chain downstream to the initial matching rule
    # (mangle/POSTROUTING is after filter/FORWARD).
    iptables -t mangle -A POSTROUTING -m mark --mark 3 -j LOG --log-prefix "Url too long "
    iptables -t mangle -A POSTROUTING -m mark --mark 4 -j REJECT