LUA background, packetScript and experiments


This chapter describes PacketScript, the main contribution of this thesis. PacketScript is a scripting framework that changes the way of programming packet matching and processing logic for Linux Netfilter. It enables the development of Netfilter extensions entirely in Lua.
In Section 3.1 we provide the specification of PacketScript. Based on this specification we built the architecture described in Section 3.2. In Section 3.3 we explain our concept of object oriented packet scripting and how it is applied within PacketScript. Sections 3.4 and 3.5 bridges the gap between the concepts and their application by providing some showcase examples. Sections 3.6 and 3.7 introduce two Lua libraries for dealing with bits and bytes, deferring work using the Linux work queue interface, and sending network packets using Lua.


This section specifies PacketScript in terms of functionality, interfaces, and performance.
Moreover, it describes its nonfunctional requirements and the design constraints. The development of such a specification is typically an iterative process, as the software development is. Therefore, the specification may change with a next version of PacketScript. The keywords must, must not, required, shall, shall not, should, should not, recommended, may, and optional in this specification are to be interpreted as described in RFC 2119..


The system shall intercept network packets within the Linux kernel. A Lua script (script) must be loaded and interpreted by the system. Such a script is then called to analyze and modify the intercepted packet. Typically, packet interception is done inside an interrupt handler. Spending too much time handling interrupts is not recommended, therefore the system should allow to defer work to a context that is better suited for processing parts of the script. The system must provide a convenient way for analyzing and modifying network packets for binary as well as for plain-text protocols. In order to use the system for prototyping network-centric applications in Lua, the system shall provide the functionality to send new network packets, obtaining accurate time stamps and random values.

External Interfaces

The system must be configured by a userspace application controlled by a privileged user (configuration interface). System configuration includes loading and unloading scripts, which may perform additional configuration. The configuration interface must be simple, therefore the file system path to the script should be the only parameter that is required. Besides the configuration interface, the script provides a more sophisticated interface to the user (script interface). It is used to control how a packet is analyzed, modified as well as how work is deferred. Therefore, such a script needs to be validated. The script interface is constrained by the syntax and semantics of the Lua scripting language. Additionally, the system must interface with the operating system using the Linux kernel API (operating system interface), for example for sending packets, deferring work, or obtaining accurate time stamps. On one hand, the system itself employs some functionality provided by the operating system interface. On the other hand, the script may call functions that wrap some of the operating system functionality. While function calls invoked by the system are hidden from the user, the functions called from the script are not. Since a wrong use of such functions can negatively affect the operating system behavior, they must be especially protected.

Si le lien ne fonctionne pas correctement, veuillez nous contacter (mentionner le lien dans votre message)
LUA background, packetScript and experiments (788 KO) (Cours PDF)
LUA background

Télécharger aussi :

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *