CN108200026A - The method that rst blocking packets are sent based on ipv6 - Google Patents

The method that rst blocking packets are sent based on ipv6 Download PDF

Info

Publication number
CN108200026A
CN108200026A CN201711438899.5A CN201711438899A CN108200026A CN 108200026 A CN108200026 A CN 108200026A CN 201711438899 A CN201711438899 A CN 201711438899A CN 108200026 A CN108200026 A CN 108200026A
Authority
CN
China
Prior art keywords
ipv6
packets
buff
packet
new
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711438899.5A
Other languages
Chinese (zh)
Inventor
杨庆新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Huaruan Goldencis Software Co Ltd
Original Assignee
Shandong Huaruan Goldencis Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Huaruan Goldencis Software Co Ltd filed Critical Shandong Huaruan Goldencis Software Co Ltd
Priority to CN201711438899.5A priority Critical patent/CN108200026A/en
Publication of CN108200026A publication Critical patent/CN108200026A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/20Support for services
    • H04L49/208Port mirroring

Abstract

A kind of method that rst blocking packets are sent based on ipv6, is included the following steps:A) registration packet capturing function, b) system determines whether forwarding packet, c) obtains the fixing head structure of ipv6, the position of tcp headers in the IPV6 data packets that d) positioning obtains, e) in the sk_buff structures of crawl, obtain its eth, ipv6, the address of tcp, a new sk_buff packet is replicated using skb_copy_expand functions, the eth heads of new sk_buff packets, ipv6, the address of tcp are obtained, assembles new sk_buff packets.Based on ipv6 send RST packets the data flow of ipv6 block it is simpler effectively, in the data communication process of ipv6, need to only send a RST packet can make entire communication process interruption.Client network environment will not be impacted, interchanger is only needed to do simple Port Mirroring configuration, does not need to the other configurations of modification interchanger.When being not desired to block target machine, packet is blocked as long as stopping sending the IP, does not need to restart target machine.

Description

The method that rst blocking packets are sent based on ipv6
Technical field
The present invention relates to field of network data transmission, and in particular to a kind of method that rst blocking packets are sent based on ipv6.
Background technology
Current ipv4 addresses are more and more rare, arrived the stage of resource exhaustion, the universal necessarily general trend of events institute of ipv6 Become, and the network security based on ipv6 is also increasingly worth research and management and control, in the network environment of ipv6, in practical application In, we usually need to carry out the data of certain ipv6 addresses or port management and control, legal clearance, and illegal blocking is right The data of blocking, which then may be used to send based on ipv6, blocks the technology of packet to realize.It is one to send RST packets and data block The mode of the fairly simple violence of kind.A website is opened when we show, it will usually carry out the biography between multiple network data It is defeated with interacting, only when these data are all transmitted, can just show a complete website, therefore block efficiency low.
Invention content
The blocking of Ipv6 data flows is simply and effectively based on to overcome the above deficiencies, the invention provides a kind of Ipv6 sends the method that rst blocks packet.
Technical solution is used by the present invention overcomes its technical problem:
A kind of method that rst blocking packets are sent based on ipv6, is included the following steps:
A) packet capturing function is registered, obtains IPV6 data packets;
B) system judges whether the pkt_type fields in the sk_buff structures in the IPV6 data packets intercepted and captured are forwarding packet, If it is, the flow packet obtained by interchanger mirror image, if it is not, then by the data packet discarding;
C) the fixing head structure of ipv6 is obtained by ipv6_hdr functions in the IPV6 data packets of acquisition;
D) using in the IPV6 data packets of the ipv6_hdripv6_skip_exthdr function locatings acquisition in linux system The position of tcp headers;
E) in the sk_buff structures of crawl, its eth, ipv6, the address of tcp is obtained, uses skb_copy_ Expand functions replicate a new sk_buff packet, obtain the eth heads of new sk_buff packets, ipv6, the address of tcp, New sk_buff packets are assembled according to step f) to step i);
F) the ipv6 heads being set as saddr, daddr field of the ipv6 heads of new sk_buff packets in former sk_buff structures Payload_len fields in the ipv6 heads of new sk_buff packets are set as ipv6 and expanded by the value of middle daddr, saddr field Open up the sum of head and application data;
G) the tcp heads being set as source, dest field in the tcp heads of new sk_buff packets in former sk_buff structures In dest, source field value, set 32 in the tcp heads of new sk_buff packets to confirm number for original sk_buff structures The sum of 32 serial numbers and application layer data in tcp heads in body set rst in the tcp heads in the tcp heads of new sk_buff packets With ack flag bits 1, other mark positions 0, using csum_ipv6_magic functions recalculate new tcp verifications and;
H) the eth head file information of new sk_buff packets is set, the h_source fields in new eth heads are set as network interface card H_dest fields in new eth heads are set as the mac addresses of interchanger by the mac addresses of equipment;
I) the pkt_type fields for setting new sk_buff packets are PACKET_OUTGOING, call dev_queue_xmit letters Number sends the sk_buff newly set up.
Further, nf_ is registered using the nf_register_hook functions of netfilter frames in above-mentioned steps a) Hook_ops structures, pf fields are set as PF_INET6 in nf_hook_ops structures, represent only to capture a data of IPV6 Packet, if the data packet of crawl ipv4, sets PF_INET;Hook fields are set as the address of packet capturing call back function;hooknum It is set as NF_INET_PRE_ROUTING.
Further, the dev_add_pack functions provided in above-mentioned steps a) using linux kernel are in network protocol stack Upper registration packet_type structures carry out crawl IPV6 data packets, and the type fields of packet_type structures are set as ETH_P_IPV6 represents only to capture the data packet of IPV6;Dev fields are set as NULL;Func is set as the address of call back function.
The beneficial effects of the invention are as follows:Being sent RST packets based on ipv6 and the data flow of ipv6 block simpler has Effect, in the data communication process of ipv6, need to only send a RST packet can interrupt entire communication process.To customer network Environment will not impact, and interchanger is only needed to do simple Port Mirroring configuration, not need to modification interchanger its He is configured.When being not desired to block target machine, packet is blocked as long as stopping sending the IP, does not need to restart target Machine.
Specific embodiment
The present invention will be further described below.
A kind of method that rst blocking packets are sent based on ipv6, is included the following steps:
A) packet capturing function is registered, obtains IPV6 data packets.
B) system judges whether the pkt_type fields in the sk_buff structures in the IPV6 data packets intercepted and captured are forwarding Packet, if it is, the flow packet obtained by interchanger mirror image, if it is not, then by the data packet discarding.
C) the fixing head structure of ipv6 is obtained by ipv6_hdr functions in the IPV6 data packets of acquisition.
D) using in the IPV6 data packets of the ipv6_hdripv6_skip_exthdr function locatings acquisition in linux system Tcp headers position.Nexthdr fields in ipv6 fixing heads are used for representing the packet header immediately following after ipv6 fixing heads Type, such as extension header(If there is)Or some upper-layer protocol head(Such as TCP, UDP), this is also to set up rst messages with ipv4 One of different places, based on the message of ipv4 agreements, ip layers of total length can be remembered in the tot_len fields in ip headers Record, and based on the message of ipv6 agreements, ip layers of length are variable, do not have the total of ip layers of field record in ipv6 fixing heads Length is needed with the ipv6_skip_exthdr function locatings that Linux is provided to tcp headers.
E) in the sk_buff structures of crawl, its eth, ipv6, the address of tcp is obtained, uses skb_ Copy_expand functions replicate new sk_buff packet, obtain new sk_buff packets eth heads, ipv6, tcp Address assembles new sk_buff packets according to step f) to step i).
F) saddr, daddr field of the ipv6 heads of new sk_buff packets are set as in former sk_buff structures The value of daddr, saddr field in ipv6, that is, transmission ip ipv6 former and purpose ip is exchanged.By new sk_ Payload_len fields in the ipv6 heads of buff packets are set as the sum of ipv6 extended heads and application data, but not Include ipv6 regular lengths.
G) source, dest field in the tcp heads of new sk_buff packets are set as in former sk_buff structures The value of dest, source field in tcp, that is, sending port tcp original and destination interface are exchanged.Setting is new Sk_buff packets tcp heads in 32 confirm number for 32 serial numbers and application layer in the tcp heads in original sk_buff structures The sum of data, response serial number network bytes sequence here, if syllable sequence mistake, it will abandoned by purpose machine.Setting is new Sk_buff packets tcp heads in tcp heads in rst and ack flag bits 1, other mark positions 0 use csum_ipv6_ Magic functions recalculate new tcp verifications and.
H) the eth head file information of new sk_buff packets is set, the h_source fields in new eth heads are set as H_dest fields in new eth heads are set as the mac addresses of interchanger by the mac addresses of network card equipment, here without using former Source mac in eth, expression send the packet to interchanger, and the forwarding of next step is carried out by interchanger.
I) the pkt_type fields for setting new sk_buff packets are PACKET_OUTGOING, since then new sk_buffer Package install it is complete, later call dev_queue_xmit functions the sk_buff newly set up is sent.
Based on ipv6 send RST packets the data flow of ipv6 block it is simpler effectively, in the data communication of ipv6 In the process, need to only send a RST packet can interrupt entire communication process.Client network environment will not be impacted, it is right Interchanger only needs to do simple Port Mirroring configuration, does not need to the other configurations of modification interchanger.When being not desired to target When machine is blocked, packet is blocked as long as stopping sending the IP, does not need to restart target machine.
Embodiment 1:
Nf_hook_ops structures are registered using the nf_register_hook functions of netfilter frames in step a), Pf fields are set as PF_INET6 in nf_hook_ops structures, represent only to capture the data packet of IPV6, if the number of crawl ipv4 According to packet, then PF_INET is set;Hook fields are set as the address of packet capturing call back function;Hooknum is set as NF_INET_PRE_ ROUTING represents before data packet enters route judgement, first passes through the packet capturing call back function of our setting.
Embodiment 2:
The dev_add_pack functions provided in step a) using linux kernel register packet_type on network protocol stack Structure carries out crawl IPV6 data packets, and the type fields of packet_type structures are set as ETH_P_IPV6, with nf_ Pf field meanings in hook_ops structures are similar, represent only to capture the data packet of IPV6;Dev fields are set as NULL, NULL represents the meaning of asterisk wildcard herein, can capture the packet of all network card interfaces;Func is set as the address of call back function.

Claims (3)

  1. A kind of 1. method that rst blocking packets are sent based on ipv6, which is characterized in that include the following steps:
    A) packet capturing function is registered, obtains IPV6 data packets;
    B) system judges whether the pkt_type fields in the sk_buff structures in the IPV6 data packets intercepted and captured are forwarding packet, If it is, the flow packet obtained by interchanger mirror image, if it is not, then by the data packet discarding;
    C) the fixing head structure of ipv6 is obtained by ipv6_hdr functions in the IPV6 data packets of acquisition;
    D) using in the IPV6 data packets of the ipv6_hdripv6_skip_exthdr function locatings acquisition in linux system The position of tcp headers;
    E) in the sk_buff structures of crawl, its eth, ipv6, the address of tcp is obtained, uses skb_copy_ Expand functions replicate a new sk_buff packet, obtain the eth heads of new sk_buff packets, ipv6, the address of tcp, New sk_buff packets are assembled according to step f) to step i);
    F) the ipv6 heads being set as saddr, daddr field of the ipv6 heads of new sk_buff packets in former sk_buff structures Payload_len fields in the ipv6 heads of new sk_buff packets are set as ipv6 and expanded by the value of middle daddr, saddr field Open up the sum of head and application data;
    G) the tcp heads being set as source, dest field in the tcp heads of new sk_buff packets in former sk_buff structures In dest, source field value, set 32 in the tcp heads of new sk_buff packets to confirm number for original sk_buff structures The sum of 32 serial numbers and application layer data in tcp heads in body set rst in the tcp heads in the tcp heads of new sk_buff packets With ack flag bits 1, other mark positions 0, using csum_ipv6_magic functions recalculate new tcp verifications and;
    H) the eth head file information of new sk_buff packets is set, the h_source fields in new eth heads are set as network interface card H_dest fields in new eth heads are set as the mac addresses of interchanger by the mac addresses of equipment;
    I) the pkt_type fields for setting new sk_buff packets are PACKET_OUTGOING, call dev_queue_xmit letters Number sends the sk_buff newly set up.
  2. 2. the method according to claim 1 that rst blocking packets are sent based on ipv6, it is characterised in that:In the step a) Nf_hook_ops structures, nf_hook_ops knots are registered using the nf_register_hook functions of netfilter frames Pf fields are set as PF_INET6 in structure body, represent only to capture the data packet of IPV6, if the data packet of crawl ipv4, is set PF_INET;Hook fields are set as the address of packet capturing call back function;Hooknum is set as NF_INET_PRE_ROUTING.
  3. 3. the method according to claim 1 that rst blocking packets are sent based on ipv6, it is characterised in that:In the step a) The dev_add_pack functions provided using linux kernel are registered packet_type structures on network protocol stack and are grabbed IPV6 data packets are taken, the type fields of packet_type structures are set as ETH_P_IPV6, represent only to capture the data of IPV6 Packet;Dev fields are set as NULL;Func is set as the address of call back function.
CN201711438899.5A 2017-12-27 2017-12-27 The method that rst blocking packets are sent based on ipv6 Pending CN108200026A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711438899.5A CN108200026A (en) 2017-12-27 2017-12-27 The method that rst blocking packets are sent based on ipv6

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711438899.5A CN108200026A (en) 2017-12-27 2017-12-27 The method that rst blocking packets are sent based on ipv6

Publications (1)

Publication Number Publication Date
CN108200026A true CN108200026A (en) 2018-06-22

Family

ID=62584265

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711438899.5A Pending CN108200026A (en) 2017-12-27 2017-12-27 The method that rst blocking packets are sent based on ipv6

Country Status (1)

Country Link
CN (1) CN108200026A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109446086A (en) * 2018-10-29 2019-03-08 北京酷我科技有限公司 A kind of method of App inside packet capturing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101068229A (en) * 2007-06-08 2007-11-07 北京工业大学 Content filtering gateway realizing method based on network filter
CN101902440A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and device for blocking TCP connection
CN103166855A (en) * 2011-12-12 2013-06-19 深圳市共进电子股份有限公司 Method and system for recognizing and transforming address information in network message
CN103560995A (en) * 2013-09-25 2014-02-05 深圳市共进电子股份有限公司 URL filtering method for realizing IPv4 and IPv6 at the same time

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101068229A (en) * 2007-06-08 2007-11-07 北京工业大学 Content filtering gateway realizing method based on network filter
CN101902440A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and device for blocking TCP connection
CN103166855A (en) * 2011-12-12 2013-06-19 深圳市共进电子股份有限公司 Method and system for recognizing and transforming address information in network message
CN103560995A (en) * 2013-09-25 2014-02-05 深圳市共进电子股份有限公司 URL filtering method for realizing IPv4 and IPv6 at the same time

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YANGQINGXIN1993: "基于ipv6构造TCP RST阻断包", 《GITHUB》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109446086A (en) * 2018-10-29 2019-03-08 北京酷我科技有限公司 A kind of method of App inside packet capturing

Similar Documents

Publication Publication Date Title
US9985872B2 (en) Router with bilateral TCP session monitoring
EP3198822B1 (en) Computer network packet flow controller
US9736057B2 (en) Forwarding packet fragments using L4-L7 headers without reassembly in a software-defined networking (SDN) system
US9596173B2 (en) Method and system for traffic pattern generation in a software-defined networking (SDN) system
JP5880570B2 (en) Mapping server device, network system, packet transfer method and program
US20210036953A1 (en) Flow modification including shared context
WO2016101783A1 (en) Attack packet processing method, apparatus, and system
EP1585261B1 (en) Apparatus and method for processing labeled flows in a communications access network
US20160380884A1 (en) Flow-Based Distribution in Hybrid Access Networks
US8320249B2 (en) Method and system for controlling network access on a per-flow basis
EP1158730A2 (en) Dynamic application port service provisioning for packet switch
EP2987278B1 (en) Method and switch for lawful interception
US20070041373A1 (en) Intelligent switching for secure and reliable voice-over-IP PBX service
CN109548008A (en) Network side is to the identification of remote user equipment and control method and equipment
WO2015143802A1 (en) Service function chaining processing method and device
US20140294018A1 (en) Protocol for layer two multiple network links tunnelling
US20180131602A1 (en) System and method for routing in software defined networks using a flow header
WO2000072532A1 (en) System and method for network packet reduction
US10326663B2 (en) Fabric-wide bandth management
CN108200026A (en) The method that rst blocking packets are sent based on ipv6
US10805826B2 (en) Quality of service (QoS) support for tactile traffic
JP2010193083A (en) Communication system, and communication method
JP2006279771A (en) Method and program for packet transmission
Rosen Linux Kernel Networking
JP5992348B2 (en) Load balancing system and load balancing method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180622