netfilter to drop icmp message from firewall - Ubuntu 16.4
Hello when I tried to compiled the code in below by typing commmand make , I got the error message in below , can you assist me to figure out the issue and run the code , because I modified the code to drop icmp message from firewall
home/seed/Desktop/filter/task2.c: In function ‘init_module’: /home/seed/Desktop/filter/task2.c:101:19: error: ‘hook_func_in’ undeclared (first use in this function) nfho_in.hook = hook_func_in; ^ /home/seed/Desktop/filter/task2.c:101:19: note: each undeclared identifier is reported only once for each function it appears in scripts/Makefile.build:295: recipe for target '/home/seed/Desktop/filter/task2.o' failed
Makefile:
obj-m += task2.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
Task code :
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/skbuff.h>
#include <linux/tcp.h>
#include <linux/icmp.h>
#include <linux/ip.h>
static struct nf_hook_ops nfho_out; //net filter for outgoing packets
static struct nf_hook_ops nfho_in; //net filter for incoming packets
struct sk_buff *sock_buff;
struct iphdr *ip_header; //ip header struct
struct tcphdr *tcp_header; //tcp header struct
struct icmphdr *icmp_header; //icmp header struct
unsigned int src_port, dst_port;
void print_address(struct iphdr *ip_header)
{
printk(KERN_INFO "filter SRC: %d.%d.%d.%d \n",
ip_header->saddr & 0x000000ff,
(ip_header->saddr & 0x0000ff00) >> 8,
(ip_header->saddr & 0x00ff0000) >> 16,
(ip_header->saddr & 0xff000000) >> 24);
printk(KERN_INFO "filter DST: %d.%d.%d.%d \n",
ip_header->daddr & 0x000000ff,
(ip_header->daddr & 0x0000ff00) >> 8,
(ip_header->daddr & 0x00ff0000) >> 16,
(ip_header->daddr & 0xff000000) >> 24);
}
bool check_address_src(struct iphdr *ip_header, int a, int b, int c, int d)
{
if (((ip_header->saddr & 0xff000000) >> 24) != d)
return false;
if (((ip_header->saddr & 0x00ff0000) >> 16) != c)
return false;
if (((ip_header->saddr & 0x0000ff00) >> 8) != b)
return false;
if ((ip_header->saddr & 0x000000ff) != a)
return false;
return true;
}
bool check_address_dst(struct iphdr *ip_header, int a, int b, int c, int d)
{
if (((ip_header->daddr & 0xff000000) >> 24) != d)
return false;
if (((ip_header->daddr & 0x00ff0000) >> 16) != c)
return false;
if (((ip_header->daddr & 0x0000ff00) >> 8) != b)
return false;
if ((ip_header->daddr & 0x000000ff) != a)
return false;
return true;
}
unsigned int hook_func_out(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
sock_buff = skb;
ip_header = (struct iphdr *)skb_network_header(sock_buff); //grab network header using accessor
if (!sock_buff)
{
return NF_ACCEPT;
}
//icmp
if (ip_header->protocol == 1)
{
icmp_header = (struct icmphdr *)((__u32 *)ip_header + ip_header->ihl);
// filter 4: Prevent Machine A ping Machine B
if (icmp_header->type == 8)
{
print_address(ip_header);
if (!check_address_src(ip_header, 10, 0, 2, 4))
{
printk(KERN_INFO "filter 4: src not match\n");
return NF_ACCEPT;
}
if (!check_address_dst(ip_header, 10, 0, 2, 5))
{
printk(KERN_INFO "filter 4: dst not match\n");
return NF_ACCEPT;
}
printk(KERN_INFO "filter 4: Prevent Machine A ping Machine B\n");
printk(KERN_INFO "filter 4: SRC_PORT: %d DST_PORT: %d\n", src_port, dst_port);
return NF_DROP;
}
}
return NF_ACCEPT;
}
int init_module(void)
{
nfho_in.hook = hook_func_in;
nfho_in.hooknum = NF_INET_PRE_ROUTING;
nfho_in.pf = PF_INET;
nfho_in.priority = NF_IP_PRI_FIRST;
nf_register_hook(&nfho_in);
nfho_out.hook = hook_func_out;
nfho_out.hooknum = NF_INET_POST_ROUTING;
nfho_out.pf = PF_INET;
nfho_out.priority = NF_IP_PRI_FIRST;
nf_register_hook(&nfho_out);
return 0;
}
void cleanup_module(void)
{
printk(KERN_INFO "\nbye");
nf_unregister_hook(&nfho_in);
nf_unregister_hook(&nfho_out);
}
asked on Stack Overflow Apr 20, 2020 by 
KHAWLA MOUSA ABUALASIH
KHAWLA MOUSA ABUALASIH0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0