This chapter describes PacketScript, the main contribution of this thesis. PacketScript is a scripting framework that changes the way of programming packet matching and processing logic for Linux Netﬁlter. It enables the development of Netﬁlter extensions entirely in Lua.
In Section 3.1 we provide the speciﬁcation of PacketScript. Based on this speciﬁcation we built the architecture described in Section 3.2. In Section 3.3 we explain our concept of object oriented packet scripting and how it is applied within PacketScript. Sections 3.4 and 3.5 bridges the gap between the concepts and their application by providing some showcase examples. Sections 3.6 and 3.7 introduce two Lua libraries for dealing with bits and bytes, deferring work using the Linux work queue interface, and sending network packets using Lua.
This section speciﬁes PacketScript in terms of functionality, interfaces, and performance.
Moreover, it describes its nonfunctional requirements and the design constraints. The development of such a speciﬁcation is typically an iterative process, as the software development is. Therefore, the speciﬁcation may change with a next version of PacketScript. The keywords must, must not, required, shall, shall not, should, should not, recommended, may, and optional in this speciﬁcation are to be interpreted as described in RFC 2119..
The system shall intercept network packets within the Linux kernel. A Lua script (script) must be loaded and interpreted by the system. Such a script is then called to analyze and modify the intercepted packet. Typically, packet interception is done inside an interrupt handler. Spending too much time handling interrupts is not recommended, therefore the system should allow to defer work to a context that is better suited for processing parts of the script. The system must provide a convenient way for analyzing and modifying network packets for binary as well as for plain-text protocols. In order to use the system for prototyping network-centric applications in Lua, the system shall provide the functionality to send new network packets, obtaining accurate time stamps and random values.
The system must be conﬁgured by a userspace application controlled by a privileged user (conﬁguration interface). System conﬁguration includes loading and unloading scripts, which may perform additional conﬁguration. The conﬁguration interface must be simple, therefore the ﬁle system path to the script should be the only parameter that is required. Besides the conﬁguration interface, the script provides a more sophisticated interface to the user (script interface). It is used to control how a packet is analyzed, modiﬁed as well as how work is deferred. Therefore, such a script needs to be validated. The script interface is constrained by the syntax and semantics of the Lua scripting language. Additionally, the system must interface with the operating system using the Linux kernel API (operating system interface), for example for sending packets, deferring work, or obtaining accurate time stamps. On one hand, the system itself employs some functionality provided by the operating system interface. On the other hand, the script may call functions that wrap some of the operating system functionality. While function calls invoked by the system are hidden from the user, the functions called from the script are not. Since a wrong use of such functions can negatively aﬀect the operating system behavior, they must be especially protected.
LUA background, packetScript and experiments (788 KO) (Cours PDF)