基于Linux防火墙的嵌入式网络流量控制系统
摘要
随着互联网技术的出现和飞速发展,人类正在经历一场前所未有的新技术革命--信息革命。互联网不再仅限于科研机构和教育机构使用,它已渗透到人们日常生活的各个方面。越来越多的人希望能够享受高速的网络服务。宽带技术使得普通大众享受这种服务的愿望成为可能。虽然中国的网络基础设施正在发生着日新月异的变化,但与发达国家相比还存在差距,网络的带宽相对于人们的需求还有一些距离。为了公平有效的使用有限的网络资源,对网络流量进行控制就成了必然的选择。rlimit系统就是在这种应用需求下提出的。
rlimit系统是一个基于Linux内核Netfilter框架的流量控制系统。它通过将整个流量控制系统嵌入到一个嵌入式硬件平台而形成一个高效、紧凑的系统。整个系统分硬件和软件两部分。硬件部分是以Motorola冷火系列5272处理器为核心构成的嵌入式系统。软件部分所用的嵌入式操作系统是μClinux――一种没有MMU(内存管理单元)的专用于微控制领域的嵌入式操作系统。rlimit系统主要由三部分构成:内核功能模块,虚拟设备,用户配置工具。内核功能模块是主体,通过在Netfilter框架的钩子挂载点处注册处理函数以获取对网络数据包的控制,从而达到控制流量。虚拟设备是一个网络设备,它不发送任何实际的数据包,它的功能是实现内核空间和用户空间配置数据的传递,使得用户能通过配置工具控制rlimit的行为。它是内核功能模块和用户配置工具之间通讯的桥梁。用户配置工具是一个用户空间程序,它是系统和用户交互的惟一工具。它是一个命令行工具,用户通过它将要控制的主机/子网信息传入rlimit系统。
论文的第一章简要介绍了研究背景、必要性及rlimit系统总体情况;第二、三章分别回顾了嵌入式系统和防火墙技术,并在第二章对μClinux进行介绍;第四章详细分析了Linux内核防火墙Netfilter框架;第五章讨论了rlimit系统的设计和实现;第六章系统总结了rlimit系统的优点及有待改善之处。
With the development of network technology, men are experiencing an unprecedented technology revolution – information revolution. Internet is no longer used only by research organization and education institution. It has become part of people’s everyday life. Although china’s network infrastructure is changing rapidly, there is still a long way to run for reaching developed countries. While network capacity is far away from people’s demands, to ensure the limited network resources be used fairly and efficiently, network traffic control becomes the definite choice. For this purpose, rlimit system comes out.
Rlimit system, a network traffic control system that based on Linux kernel netfilter framework, is an efficient and compact system, embedding the whole system into an embedded hardware platform. The system consists of two parts, hardware and software. The hardware board is built upon Motorola Coldfire processor MCF5272, while using μClinux as the embedded operating system. The implementation of rlimit system is composed of kernel module, virtual device and user configuration tool. The rlimit kernel module observes packets by registering netfilter hook functions into specified hook points. Rlimit virtual device is a virtual net device used to transfer configuration data between kernel space and user space, enabling user to control the behavior of rlimit system. It is a bridge between rlimit kernel module and user configuration tool. User configuration tool is a Linux user space program. It is a command-line tool. Only by user configuration tool can user send host/subnet information into rlimit system.
This dissertation is organized as follows. The first section talks about the research background and the necessity of rlimit system. In section two and three, embedded system and firewall technology are separately discussed and μClinux is also reviewed in section two. Section four outlines Linux netfilter framework. The design and implementation of rlimit system is argued in section five. Section six concludes the dissertation and gives the advantages and disadvantages of rlimit system.
rlimit系统是一个基于Linux内核Netfilter框架的流量控制系统。它通过将整个流量控制系统嵌入到一个嵌入式硬件平台而形成一个高效、紧凑的系统。整个系统分硬件和软件两部分。硬件部分是以Motorola冷火系列5272处理器为核心构成的嵌入式系统。软件部分所用的嵌入式操作系统是μClinux――一种没有MMU(内存管理单元)的专用于微控制领域的嵌入式操作系统。rlimit系统主要由三部分构成:内核功能模块,虚拟设备,用户配置工具。内核功能模块是主体,通过在Netfilter框架的钩子挂载点处注册处理函数以获取对网络数据包的控制,从而达到控制流量。虚拟设备是一个网络设备,它不发送任何实际的数据包,它的功能是实现内核空间和用户空间配置数据的传递,使得用户能通过配置工具控制rlimit的行为。它是内核功能模块和用户配置工具之间通讯的桥梁。用户配置工具是一个用户空间程序,它是系统和用户交互的惟一工具。它是一个命令行工具,用户通过它将要控制的主机/子网信息传入rlimit系统。
论文的第一章简要介绍了研究背景、必要性及rlimit系统总体情况;第二、三章分别回顾了嵌入式系统和防火墙技术,并在第二章对μClinux进行介绍;第四章详细分析了Linux内核防火墙Netfilter框架;第五章讨论了rlimit系统的设计和实现;第六章系统总结了rlimit系统的优点及有待改善之处。
With the development of network technology, men are experiencing an unprecedented technology revolution – information revolution. Internet is no longer used only by research organization and education institution. It has become part of people’s everyday life. Although china’s network infrastructure is changing rapidly, there is still a long way to run for reaching developed countries. While network capacity is far away from people’s demands, to ensure the limited network resources be used fairly and efficiently, network traffic control becomes the definite choice. For this purpose, rlimit system comes out.
Rlimit system, a network traffic control system that based on Linux kernel netfilter framework, is an efficient and compact system, embedding the whole system into an embedded hardware platform. The system consists of two parts, hardware and software. The hardware board is built upon Motorola Coldfire processor MCF5272, while using μClinux as the embedded operating system. The implementation of rlimit system is composed of kernel module, virtual device and user configuration tool. The rlimit kernel module observes packets by registering netfilter hook functions into specified hook points. Rlimit virtual device is a virtual net device used to transfer configuration data between kernel space and user space, enabling user to control the behavior of rlimit system. It is a bridge between rlimit kernel module and user configuration tool. User configuration tool is a Linux user space program. It is a command-line tool. Only by user configuration tool can user send host/subnet information into rlimit system.
This dissertation is organized as follows. The first section talks about the research background and the necessity of rlimit system. In section two and three, embedded system and firewall technology are separately discussed and μClinux is also reviewed in section two. Section four outlines Linux netfilter framework. The design and implementation of rlimit system is argued in section five. Section six concludes the dissertation and gives the advantages and disadvantages of rlimit system.
引文
合肥华恒网络技术有限公司,华恒嵌入式Linux开发套件HHCF5272-2ETH-R2技术手册,合肥:华恒科技,2002.6
毛德操,胡希明,Linux内核源代码情景分析,杭州:浙江大学出版社,2001
Daniel P. Bovet, 深入理解Linux内核,北京:中国电力出版社,2001
David Tansley著,徐焱等译,LINUX与UNIX Shell编程指南,北京:机械工业出版社,2000
Sriranga Veeraraghavan著,前导工作室译,UNIX Shell编程24学时教程,北京:机械工业出版社,1999
邹思轶,嵌入式Linux设计与应用,北京:清华大学出版社,2002
夏玮玮,沈连丰,肖婕等,嵌入式系统关键技术分析与开发应用,单片机与嵌入式系统应用,2003年第2期
探矽工作室著,嵌入式系统开发圣经,北京:中国铁道出版社,2003
李善平,刘文峰,王焕龙等编著,Linux与嵌入式系统,北京:清华大学出版社,2003
魏忠,蔡勇,雷红卫编著,嵌入式开发详解,北京:电子工业出版社,2003
W.Richard Stevens著,尤晋元译,Unix环境高级编程,北京:机械工业出版,2000
Uresh Vahalia, UNIX高级教程—系统技术内幕,北京:清华大学出版社,1999
邵海东,周鹏,胡南军等,基于Linux的嵌入式系统设计与实现,计算机工程,2002.6
姚晓宇,赵晨,Linux内核防火墙Netfilter实现与应用研究,计算机工程,2003.5
Joe deBlaquiere, Supporting New Hardware Environments with μClinux, Journal of Linux Technology, Volume 1, Number 3
Alan Cox, "Network Buffers and Memory Management," Linux Journal, Oct. 1996
Rusty Russell, Netfilter Hacking HOWTO, http://netfilter.kernelnotes.org
S. McCanne and V. Jacobson,"The BSD Packet Filter: A New Architecture for User-level Packet Capture," Proc. Winter Usenix Conference, USENIX, 1993
Ori Pomerantz,Linux Kernel Module Programming Guide,1999
Alessandro Rubini,Linux Device Drivers,O’REILLY,2001
Arcturus Network Inc., μClinux White Paper Overview, Arcturus Network Inc.,2001
V. Olive, S. Martin and A. Vareille, OS For Embedded Systems: State Of The Art and Prospects, Microelectronic Engineering, 54, 2000
毛德操,胡希明,Linux内核源代码情景分析,杭州:浙江大学出版社,2001
Daniel P. Bovet, 深入理解Linux内核,北京:中国电力出版社,2001
David Tansley著,徐焱等译,LINUX与UNIX Shell编程指南,北京:机械工业出版社,2000
Sriranga Veeraraghavan著,前导工作室译,UNIX Shell编程24学时教程,北京:机械工业出版社,1999
邹思轶,嵌入式Linux设计与应用,北京:清华大学出版社,2002
夏玮玮,沈连丰,肖婕等,嵌入式系统关键技术分析与开发应用,单片机与嵌入式系统应用,2003年第2期
探矽工作室著,嵌入式系统开发圣经,北京:中国铁道出版社,2003
李善平,刘文峰,王焕龙等编著,Linux与嵌入式系统,北京:清华大学出版社,2003
魏忠,蔡勇,雷红卫编著,嵌入式开发详解,北京:电子工业出版社,2003
W.Richard Stevens著,尤晋元译,Unix环境高级编程,北京:机械工业出版,2000
Uresh Vahalia, UNIX高级教程—系统技术内幕,北京:清华大学出版社,1999
邵海东,周鹏,胡南军等,基于Linux的嵌入式系统设计与实现,计算机工程,2002.6
姚晓宇,赵晨,Linux内核防火墙Netfilter实现与应用研究,计算机工程,2003.5
Joe deBlaquiere, Supporting New Hardware Environments with μClinux, Journal of Linux Technology, Volume 1, Number 3
Alan Cox, "Network Buffers and Memory Management," Linux Journal, Oct. 1996
Rusty Russell, Netfilter Hacking HOWTO, http://netfilter.kernelnotes.org
S. McCanne and V. Jacobson,"The BSD Packet Filter: A New Architecture for User-level Packet Capture," Proc. Winter Usenix Conference, USENIX, 1993
Ori Pomerantz,Linux Kernel Module Programming Guide,1999
Alessandro Rubini,Linux Device Drivers,O’REILLY,2001
Arcturus Network Inc., μClinux White Paper Overview, Arcturus Network Inc.,2001
V. Olive, S. Martin and A. Vareille, OS For Embedded Systems: State Of The Art and Prospects, Microelectronic Engineering, 54, 2000
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |