6. Devices
A device driver hides the hardware device’s communication
protocols from the operating system and allows the system to interact with the
device through a standardized interface.
Processes can communicate with a device driver via
file-like objects.
6.1 Device Types
A character device represents a hardware device that reads
or writes a serial stream of data bytes.
A block device represents a hardware device that reads or
writes data in fixed-size blocks.
6.2 Device Numbers
Linux identifies devices using two numbers: the major
device number and the minor device number.
The major device number specifies which driver the device
corresponds to.
Minor device numbers distinguish individual devices or
components controlled by a single driver.
The special entry /proc/devices lists major device numbers
corresponding to active device drivers currently loaded into the kernel.
[liuchao@localhost ~]$ cat /proc/devices
Character devices:
1
mem
&n ......
apache的源码安装
将压缩包解压之后进入相应的目录
./configure \ #--------------------预编译命令
"--prefix=/usr/local/apache" \ #--------------------安装路径为“/usr/local/apache”
"--with-included-apr" \
"--enable-so" \ #--------------------开启相应的扩展模块支持
"--enable-deflate=shared" \
"--enable-expires=shared" \
"--enable-rewrite=shared" \
"--enable-static-support" \
"--disable-userdir"
make #--------------------编译
make install #--------------------编译安装
php的源码安装
将压缩包解压之后进入相应的目录
./configure \ #--------------------预编译命令
"--prefix=/usr/local/php" \ #--------------------安装路径为“/usr/local/apache”
"--with-apxs2=/usr/local/apache/bin/apxs" \
"--with-config-file-path=/usr/local/php/etc" \
"--with-mysql=/usr/local/mysql" \
"--with-libxml-dir=/usr/local/libxml2" \
"--with-gd=/usr/local/gd2" \
"--with-jpeg-dir" \
"--with-png-dir" \
"--with-bz2" \
"--with-icon ......
apache的源码安装
将压缩包解压之后进入相应的目录
./configure \ #--------------------预编译命令
"--prefix=/usr/local/apache" \ #--------------------安装路径为“/usr/local/apache”
"--with-included-apr" \
"--enable-so" \ #--------------------开启相应的扩展模块支持
"--enable-deflate=shared" \
"--enable-expires=shared" \
"--enable-rewrite=shared" \
"--enable-static-support" \
"--disable-userdir"
make #--------------------编译
make install #--------------------编译安装
php的源码安装
将压缩包解压之后进入相应的目录
./configure \ #--------------------预编译命令
"--prefix=/usr/local/php" \ #--------------------安装路径为“/usr/local/apache”
"--with-apxs2=/usr/local/apache/bin/apxs" \
"--with-config-file-path=/usr/local/php/etc" \
"--with-mysql=/usr/local/mysql" \
"--with-libxml-dir=/usr/local/libxml2" \
"--with-gd=/usr/local/gd2" \
"--with-jpeg-dir" \
"--with-png-dir" \
"--with-bz2" \
"--with-icon ......
apache的源码安装
将压缩包解压之后进入相应的目录
./configure \ #--------------------预编译命令
"--prefix=/usr/local/apache" \ #--------------------安装路径为“/usr/local/apache”
"--with-included-apr" \
"--enable-so" \ #--------------------开启相应的扩展模块支持
"--enable-deflate=shared" \
"--enable-expires=shared" \
"--enable-rewrite=shared" \
"--enable-static-support" \
"--disable-userdir"
make #--------------------编译
make install #--------------------编译安装
php的源码安装
将压缩包解压之后进入相应的目录
./configure \ #--------------------预编译命令
"--prefix=/usr/local/php" \ #--------------------安装路径为“/usr/local/apache”
"--with-apxs2=/usr/local/apache/bin/apxs" \
"--with-config-file-path=/usr/local/php/etc" \
"--with-mysql=/usr/local/mysql" \
"--with-libxml-dir=/usr/local/libxml2" \
"--with-gd=/usr/local/gd2" \
"--with-jpeg-dir" \
"--with-png-dir" \
"--with-bz2" \
"--with-icon ......
2008-07-07 22:04状 态检测(stateful inspection)是由CheckPoint公司最先提出的,可算是防火墙技术的一项突破性变革,把包过滤的快速性和代理的安全性很好地结合在一起, 目前已经是防火墙最流行的检测方式。状态检测的根本思想是对所有网络数据建立“连接”的概念,此“连接”是面向“连接”的协议之“连接”的扩展,对非连接 协议数据也可以建立虚拟连接。既然是连接,必然是有一定的顺序的,通信两边的连接状态也是有一定顺序进行变化的。防火墙的状态检测就是事先确定好连接的合 法过程模式,如果数据过程符合这个模式,则说明数据是合法正确的,否则就是非法数据,应该被丢弃。
2.6内核的Linux中的防火墙代码netfilter中实现了状态检测 (stateful inspection)检测技术:Linux为每一个经过网络堆栈的数据包,生成一个新的连接记录项(Connection entry)。此后,所有属于此连接的数据包都被唯一地分配给这个连接,并标识连接的状态。linux在netfilter的hook点上为 contrack定义了如下几个挂接点,用来处理流经的ip包:
NF_IP_PRE_ROUTING : ip_conntrack_defrag -> ip_conntr ......
2008-07-07 22:05
初始化
1,ip_conntrack_standalone_init是contrack模块的初始化函数。它主要完成以下内容:
/*1, 初始化conntrack相关的数据结构,如hash表,ip_conntrack_protocol以及内存管理等*/
ret = ip_conntrack_init();
if (ret < 0)
return ret;
#ifdef CONFIG_PROC_FS
/* 在/proc目录下创建"ip_conntrack","ip_conntrack_expect"记录连接跟踪信息*/
……
#endif
/*2,为conntrack注册hook点*/
ret = nf_register_hooks(ip_conntrack_ops, ARRAY_SIZE(ip_conntrack_ops));
if (ret < 0) {
printk("ip_conntrack: can't register hooks.\n");
goto cleanup_proc_stat;
}
#ifdef CONFIG_SYSCTL
/*3,注册sysctrl的操作函数集*/
ip_ct_sysctl_header = register_sysctl_table(ip_ct_net_table, 0);
if (ip_ct_sysctl_header == NULL) {
printk("ip_conntrack: can't register to sysctl.\n");
ret = -ENOMEM;
goto cleanup_hooks;
}
#endif
......
2008-07-07 22:06
PREROUTING:ip_conntrack_defrag à ip_conntrack_in
1,ip_conntrack_defrag:
通常当IP报文被送至L4层处理时,如果该报文是分片报文,那么报文就会先被保存起来,直到所有分片到达后重组成一个完整报文后,再被分发到L4层。当没有启动conntrack时,netfilter各HOOK点对报文操作时,并不检查该报文是否分片;但是如果启动conntrack功能,则必须保证进入netfilter HOOK点的报文是一个完整的报文,因此ip_conntrack_defrag一般处于最前端的HOOK,负责将分片报文重组。
/* 若报文分片,则 调用ip_ct_gather_frags 组装报文,如果所有分片均已到达,pskb指向新生成的报文,继续沿着HOOK链进行下一步处理;否则为空,报文被缓存等待下一分片到来*/
if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
*pskb = ip_ct_gather_frags(*pskb,
hooknum == NF_IP_PRE_ROUTING ?
......
2008-07-07 22:09
3,init_conntrack:
init_conntrack用于创建一个新的ip_conntrack,并对其进行初始化。
/*1,每一个连接包含两个tuple,original和reply,ip_ct_invert_tuple 根据传入的original tuple获取其reply tuple,其最终将调用所属协议的invert_tuple 完成处理*/
if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) {
DEBUGP("Can't invert tuple.\n");
return NULL;
}
/*2,从cache中为conntrack分配内存,并进行通用的初始化,如初始化tuplehash、timeout和ct_general;如果当前连接数已达上限,则调用early_drop释放tuple所在hash链上的未应答项*/
conntrack = ip_conntrack_alloc(tuple, &repl_tuple);
/*3,调用所属协议的new函数,根据报文数据,初始化conntrack,和协议相关的私有处理,将放到对具体协议tcp分析时讨论*/
if (!protocol->new(conntrack, skb)) {
ip_conntrack_free(conntrack);
return NULL;
}
/*4,expect和helper均和动态协议相关,将在分析ftp协议时做重点介 ......