A Software Implementation for a Hybrid Firewall Using Linux Netfilter

摘要

We are developing an embedded hybrid firewall prototype which combines an embedded CPU (MPC8260) with a specifically designed FPGA-based packet classification coprocessor. The packet header matching between the input packets and a pre-defined rule set is fully achieved by the hardware coprocessor on-line. The embedded CPU under Linux operation system takes charge of the remaining data-path processing and the management of the firewall, including receiving input packets, sending them to the coprocessor, forwarding the packet according to the classifying results from the coprocessor, and the rule set updating and management. After a brief introduction to our hybrid firewall, we will focus on the software implementation of the firewall. The Linux-2.4.4 has been ported into out system. By modifying the Linux kernel to utilize the hook functions of Linux net filter, input packets are intercepted and their headers are sent to the coprocessor meanwhile the packets are queued in a buffer until the classifying results come out from the coprocessor. A daemon process running at the embedded CPU was designed for updating the filter rule sets so that a remote computer as a client can visit the firewall and manipulate the running of the firewall. A simple demo program running on a PC (under windows OS) was also designed to demonstrate the proper operations of the firewall.