Assignment 10: Programming: Programmable Network Filter

This assignment is to be completed by your group.


The Linux kernel features the netfilter/iptables subsystem, which allows to filter incoming and outgoing network packets. This can be used for building firewalls, network address translators (NATs), and quality-of-service features in Linux-based end systems and routers.

Netfilter, through its iptables command, can be instructed to accept, reject, log or queue packets.

As part of this assignment, you will enhance the netfilter package with deep packet inspection functionality. Deep packet inspection looks "inside" the payload of the packet, and filters based on content. Real systems parse HTTP elements or even XML, but this assignment simply adds a string-based filter. In other words, the filter scans each incoming or outgoing packet for a particular string, using the strstr() function. If the string is found in the packet, the filter matches, and netfilter will then take appropriate action, such as logging or discarding the packet.


You should start by familiarizing yourself with netfilter, using the documentation provided online. As an exercise, create an ipfilter entry that logs UDP packets sent to port 4567, using your UDP test tools (see "Deliverables" below).

Then, develop your extension. Your ipfilter extension should take the --string argument to accept a string of any length. Matching is exact, i.e., case-sensitive.


Below is a summary of the deliverables:


The netfilter web site contains information on how to extend the netfilter source. You can find examples of netfilter extensions in the section on the netfilter/iptables patch-o-matic system, as well as the Netfilter Extensions HOWTO. If you run into difficulties, you might first want to install one of the simpler extensions, such as U32, and see how they work.

What to Submit

You must submit a single file named .tar.gz or .tgz. Any other filename and we will dock points! The tar file should contain the the kernel patch, the README file, sample output and testing programs.

Your README file should describe what changes you made to the kernel, how to run your test programs and what the expected output should be.

For each programming part, if your program(s) do not work, you must submit file named nonworking.txt. Inside this file, you need to describe what problems you ran into, where your program fails and what you think are the reasons.

Last updated by Henning Schulzrinne