kk Blog —— 通用基础

squid 代理转发

2020-05-18 14:55:00

https://www.cmdschool.org/archives/4673

Squid的层次结构

图中绿色线代表父子关系的层次结构（上游下游关系）

图中蓝色代表兄弟关系的层次结构（平等关系）

代理转发

Squid使用“cache_peer”指令提供父节点的缓存

cache_peer指令的模式

never direct模式，父节点失败不能直接连接源服务器，如果父节点失败或无法访问，则每个请求都导致错误消息

prefer direct模式，父节点失败允许直接连接源服务器，如果父节点失败或无法访问，则连接到源服务器而不是父节点

注：失败是指没有ICP或HTCP回复

never direct模式

cache_peer parentcache.foo.com parent 3128 0 no-query default
never_direct allow all

以上使用never_direct指令宣告父节点失败不能直接连接源服务器

prefer direct模式

cache_peer parentcache.foo.com parent 3128 0 no-query
prefer_direct off
nonhierarchical_direct off

以上使用prefer_direct指令宣告首选从DNS中列出源服务器尝试

以上使用nonhierarchical_direct指令宣告往父节点的请求继续发送

hierarchy_stoplist指令是prefer direct模式的另外一种实现（适用于Squid-3.2之前的版本）

cache_peer指令的使用

cache_peer hostname type http-port icp-port [options]

hostname参数，指定转发的代理服务器主机名称（IP地址亦可）

type参数，可选值有“parent”（父母）、“sibling”（兄弟）和“multicast”（多播）

http-port参数，指定转发的代理服务器通讯端口，默认值3128

icp-port参数，查询对象的邻居缓存，如果不支持ICP或HTCP，设置为0

options参数，可选的其他选项（不一一列举）

http://www.squid-cache.org/Doc/config/cache_peer/

KASLR 内核动态地址

2020-01-07 11:23:00

/proc/kallsyms 和 /boot/System.map-xxx 一致需要修改 .config

< # CONFIG_RANDOMIZE_BASE is not set
---
> CONFIG_RANDOMIZE_BASE=y
> CONFIG_X86_NEED_RELOCS=y
> CONFIG_RANDOMIZE_MEMORY=y
> CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa

http://www.wowotech.net/memory_management/441.html

引言

什么是KASLR？KASLR是kernel address space layout randomization的缩写，直译过来就是内核地址空间布局随机化。KASLR技术允许kernel image加载到VMALLOC区域的任何位置。当KASLR关闭的时候，kernel image都会映射到一个固定的链接地址。对于黑客来说是透明的，因此安全性得不到保证。KASLR技术可以让kernel image映射的地址相对于链接地址有个偏移。偏移地址可以通过dts设置。如果bootloader支持每次开机随机生成偏移数值，那么可以做到每次开机kernel image映射的虚拟地址都不一样。因此，对于开启KASLR的kernel来说，不同的产品的kernel image映射的地址几乎都不一样。因此在安全性上有一定的提升。

注：文章代码分析基于linux-4.15，架构基于aarch64（ARM64）。

如何使用

打开KASLR功能非常简单，在支持KASLR的内核配置选项添加选项CONFIG_RANDOMIZE_BASE=y。同时还需要告知kernel映射的偏移地址，通过dts传递。在chosen节点下添加kaslr-seed属性。属性值就是偏移地址。另外command line不要带nokaslr，否则KASLR还是关闭。dts信息举例如下。顺便说一下，在dts中<>符号中是一个32 bit的值。但是在ARM64平台，这里的kaslr-seed属性是一个特例，他就是一个64 bit的值。

/ {
	chosen {
		kaslr-seed = <0x10000000>;
	};
}; 

如何获取偏移

kaslr-seed属性的解析在kaslr_early_init函数完成。该函数根据输入参数dtb首地址（物理地址）解析dtb，找到偏移地址，最后返回。kaslr_early_init实现如下。

u64 __init kaslr_early_init(u64 dt_phys)
{
	void *fdt;
	u64 seed, offset, mask, module_range;
	const u8 *cmdline, *str;
	int size;
 
	early_fixmap_init();                                         /* 1 */
	fdt = __fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL);       /* 1 */
 
	seed = get_kaslr_seed(fdt);                                  /* 2 */
	if (!seed)
		return 0;
 
	cmdline = get_cmdline(fdt);
	str = strstr(cmdline, "nokaslr");                            /* 3 */
	if (str == cmdline || (str > cmdline && *(str - 1) == ' '))
		return 0;
 
	mask = ((1UL << (VA_BITS - 2)) - 1) & ~(SZ_2M - 1);          /* 4 */
	offset = seed & mask;
 
	/* use the top 16 bits to randomize the linear region */
	memstart_offset_seed = seed >> 48;                           /* 5 */
 
	if ((((u64)_text + offset) >> SWAPPER_TABLE_SHIFT) !=
		(((u64)_end + offset) >> SWAPPER_TABLE_SHIFT))
		offset = round_down(offset, 1 << SWAPPER_TABLE_SHIFT);   /* 6 */
 
	return offset;
} 

由于dtb的地址是物理地址，因此第一步先为dtb区域建立映射。
从dtb文件获取kaslr-seed属性的值。
确保command line没有传递nokaslr参数，如果传递nokaslr则关闭KASLR。
保证传递的偏移地址2M地址对齐，并且保证kernel位于VMALLOC区域大小的一半地址空间以下 (VA_BITS - 2)。当VA_BITS=48时，mask=0x0000_3fff_ffe0_0000。
线性映射区地址也会随机化。
kernel启动初期只有一个PUD页表，因此希望kernel映射在1G（1 << SWAPPER_TABLE_SHIFT）大小范围内，这样就不用两个PUD页表。如果kernel加上偏移offset后不满足这点，自然要重新对齐。

如何创建映射

kernel启动初期在汇编阶段创建映射关系。代码位于head.S文件。在__primary_switched函数中会调用kaslr_early_init得到偏移地址。保存在x23寄存器中。然后重新创建kernel image的映射。

__primary_switched:
	tst   x23, ~(MIN_KIMG_ALIGN - 1)  // already running randomized?
	b.ne  0f
	mov   x0, x21                     // pass FDT address in x0
	bl    kaslr_early_init            // parse FDT for KASLR options
	cbz   x0, 0f                      // KASLR disabled? just proceed
	orr   x23, x23, x0                // record KASLR offset
	ldp   x29, x30, [sp], #16         // we must enable KASLR, return
	ret                               // to __primary_switch() 

创建映射的函数是__create_page_tables。

__create_page_tables:
	/*
	 * Map the kernel image.
	 */
	adrp  x0, swapper_pg_dir
	mov_q x5, KIMAGE_VADDR + TEXT_OFFSET  // compile time __va(_text)
	add   x5, x5, x23                         // add KASLR displacement
	create_pgd_entry x0, x5, x3, x6
	adrp  x6, _end                        // runtime __pa(_end)
	adrp  x3, _text                       // runtime __pa(_text)
	sub   x6, x6, x3                          // _end - _text
	add   x6, x6, x5                          // runtime __va(_end)
	create_block_map x0, x7, x3, x5, x6

这段代码在我的另一篇文章《ARM64 Kernel Image Mapping的变化》已经有分析过，这里就略过了。注意第7行，kernel image映射的虚拟地址加上了一个偏移地址x23。还有一点需要说明，就是对重定位段进行重定位。这部分代码在arch/arm64/kernel/head.S文件__relocate_kernel函数实现。大概说下__relocate_kernel有什么用呢！例如链接脚本中常见的几个变量text、etext、end。这几个你应该很熟悉，他们是一个地址并且他们的值是链接的时候确定下来，那么现在使能kaslr的情况下，代码中再访问text的值就很明显不是运行时的虚拟地址，而是链接时候的值。因此，__relocate_kernel函数可以负责重定位这些变量。保证访问这些变量的值依然是正确的值。这部分涉及编译和链接，有兴趣的可以研究一下《程序员的自我修养》这本书（我不太熟悉）。

addr2line怎么办

KASLR在技术上增加了OS安全性，但是对于调试或许增加了些难度。何以见得呢？首先，我们知道编译kernel的时候链接地址和最终运行地址是不一样的，因此如果发生oops，栈的回溯信息中的函数地址其实都是运行地址。如果你使用过addr2line工具的话，应该不会陌生addr2line -e vmlinux 0xffffff8000080000这条命令获取某个地址在代码中的哪一行。那么现在问题是oops中的地址和链接地址有一个偏差，并且这个偏差随着bootloader传递的值而变化。现在摆在我们眼前的是addr2line工具还怎么用？下面就为你答疑解惑。kernel开机log中会打印Virtual kernel memory layout。举例如下。

    Virtual kernel memory layout:
      modules : 0xffffff8000000000 - 0xffffff8008000000   (   128 MB)
      vmalloc : 0xffffff8008000000 - 0xffffffbebfff0000   (   250 GB)
        .text : 0xffffff80ae280000 - 0xffffff80af2e0000   ( 16768 KB)
      .rodata : 0xffffff80af300000 - 0xffffff80afb60000   (  8576 KB)
        .init : 0xffffff80afb60000 - 0xffffff80b01e0000   (  6656 KB)
        .data : 0xffffff80b01e0000 - 0xffffff80b044f200   (  2493 KB)
         .bss : 0xffffff80b044f200 - 0xffffff80b0e18538   ( 10021 KB)
      fixed   : 0xffffffbefe7fb000 - 0xffffffbefec00000   (  4116 KB)
      PCI I/O : 0xffffffbefee00000 - 0xffffffbeffe00000   (    16 MB)
      vmemmap : 0xffffffbf00000000 - 0xffffffc000000000   (     4 GB maximum)
            0xffffffbf00000000 - 0xffffffbf03000000   (    48 MB actual)
      memory  : 0xffffffc000000000 - 0xffffffc0c0000000   (  3072 MB)

注意看以上.text区域（kernel代码段）起始地址和结束地址是不是位于VMALLOC区域。如果发生oops，log中函数的地址必然是一个位于.text段的地址，假设是addr_run，但是链接地址应该是KIMAGE_VADDR + TEXT_OFFSET，这两个宏定义参考这篇文章《ARM64 Kernel Image Mapping的变化》。在这个例子中，KIMAGE_VADDR = 0xffffff8008000000，TEXT_OFFSET = 0x80000。addr2line工具使用的必须是链接地址，因此需要将addr_run转换成链接地址。公式很容易推导出来，addr_link = addr_run - .text_start + vmalloc_start + TEXT_OFFSET。在这个例子中就是addr_link = addr_run - 0xffffff80ae280000 + 0xffffff8008000000 + 0x80000。计算的addr_link就可以使用addr2line工具解析了。Have fun！

DNS示例

2019-12-21 17:05:00

https://gist.github.com/fffaraz/9d9170b57791c28ccda9255b48315168

DNS 示例

// gcc dns.c -lpthread

#include <stdio.h>  //printf
#include <string.h> //strlen
#include <stdlib.h> //malloc
#include <sys/socket.h> //you know what this is for
#include <arpa/inet.h>  //inet_addr, inet_ntoa, ntohs etc
#include <netinet/in.h>
#include <unistd.h> //getpid
#include <pthread.h>
#include <time.h>

#define T_A   1   //IPv4 address
#define T_NS  2   //Nameserver
#define T_CNAME   5   // canonical name
#define T_SOA 6   /* start of authority zone */
#define T_PTR 12  /* domain name pointer */
#define T_MX  15  //Mail server
#define T_AAAA    28  // IPv6

#define NIPQUAD(addr) ((unsigned char *)addr)[0], ((unsigned char *)addr)[1], ((unsigned char *)addr)[2], ((unsigned char *)addr)[3]

//DNS header structure
struct DNS_HEADER
{
	unsigned short id;    // identification number

	unsigned char rd :1;  // recursion desired
	unsigned char tc :1;  // truncated message
	unsigned char aa :1;  // authoritive answer
	unsigned char opcode :4;  // purpose of message
	unsigned char qr :1;  // query/response flag

	unsigned char rcode :4;   // response code
	unsigned char cd :1;  // checking disabled
	unsigned char ad :1;  // authenticated data
	unsigned char z :1;   // its z! reserved
	unsigned char ra :1;  // recursion available

	unsigned short q_count;   // number of question entries
	unsigned short ans_count; // number of answer entries
	unsigned short auth_count;    // number of authority entries
	unsigned short add_count; // number of resource entries
};

//Constant sized fields of query structure
struct QUESTION
{
	unsigned short qtype;
	unsigned short qclass;
};

//Constant sized fields of the resource record structure
#pragma pack(push, 1)
struct R_DATA
{
	unsigned short type;
	unsigned short _class;
	unsigned int ttl;
	unsigned short data_len;
};
#pragma pack(pop)

//Pointers to resource record contents
struct RES_RECORD
{
	unsigned char *name;
	struct R_DATA *resource;
	unsigned char *rdata;
};

//Structure of a Query
typedef struct
{
	unsigned char *name;
	struct QUESTION *ques;
} QUERY;

// convert www.google.com to 3www6google3com
void ChangetoDnsNameFormat(unsigned char* dns, unsigned char* host)
{
	int lock = 0, i;
	for (i = 0; i <= strlen(host); i ++) {
		if (host[i] == '.' || host[i] == '\0') {
			*dns++ = i - lock;
			for( ; lock < i; lock ++)
				*dns++ = host[lock];
			lock ++;
		}
	}
	*dns++ = '\0';
}

// convert 3www6google3com0 to www.google.com
void changeToHost(unsigned char *dns)
{
	int i = 0, j = 0, p;

	while (i < 90 && dns[i] && i + dns[i] + 1 < 90) {
		p = dns[i];
		i = i + p + 1;
		while (p -- && j < 90) {
			dns[j] = dns[j+1];
			j ++;
		}
		dns[j++] = '.';
	}
	if (j == 0)
		j = 1;
	dns[j-1] = '\0'; //remove the last dot
}

int readName(unsigned char *reader, unsigned char *buffer, unsigned char *to, unsigned char *end)
{
	unsigned char *start = reader;
	unsigned int p = 0, step = 1, offset, count = 0;
	int i, j;

	//read the names in 3www6google3com format

	while (reader < end && *reader != 0) {
		if (*reader >= 0xc0) {
			offset = (*reader)*256 + *(reader+1) - 0xc000; //49152 = 11000000 00000000
			reader = buffer + offset;
			step = 0;
		} else {
			to[p++] = *reader ++;
			count += step;
		}
		if (reader > end)
			goto err;
	}
	to[p] = '\0';
	count += (step == 0) ? 2 : 1;

	if (start + count > end)
		goto err;

	changeToHost(to);

	return count;
err:
	return 1000000;
}

/*
 * sending a packet
 */
void sendPacket(int fd, struct sockaddr_in *dest, unsigned char *host, int query_type)
{
	unsigned char buf[65536], *qname, *reader;
	int i, j;

	struct DNS_HEADER *dns = NULL;
	struct QUESTION *qinfo = NULL;

	//Set the DNS structure to standard queries
	dns = (struct DNS_HEADER *)&buf;

	dns->id = htons(getpid());
	dns->qr = 0; //This is a query
	dns->opcode = 0; //This is a standard query
	dns->aa = 0; //Not Authoritative
	dns->tc = 0; //This message is not truncated
	dns->rd = 1; //Recursion Desired
	dns->ra = 0; //Recursion not available! hey we dont have it (lol)
	dns->z = 0;
	dns->ad = 0;
	dns->cd = 0;
	dns->rcode = 0;
	dns->q_count = htons(1); //we have only 1 question
	dns->ans_count = 0;
	dns->auth_count = 0;
	dns->add_count = 0;

	//point to the query portion
	qname = &buf[sizeof(struct DNS_HEADER)];

	ChangetoDnsNameFormat(qname, host);
	qinfo = (struct QUESTION*)&buf[sizeof(struct DNS_HEADER) + (strlen(qname) + 1)]; //fill it

	qinfo->qtype = htons(query_type); //type of the query, A, MX, CNAME, NS etc
	qinfo->qclass = htons(1); //its internet (lol)

	if (sendto(fd, buf, sizeof(struct DNS_HEADER) + (strlen(qname) + 1) + sizeof(struct QUESTION), 0, (struct sockaddr*)dest, sizeof(*dest)) < 0) {
		perror("sendto failed");
	}
	printf("send Done\n");
	return;
}

int expBuf(char buf[], int len)
{
	unsigned char *end = buf + len;

	struct DNS_HEADER *dns = NULL;
	struct QUESTION *qinfo = NULL;
	struct R_DATA *resource;

	unsigned char *qname, *reader;

	char name[256];
	char rdata[256];
	int i, j;

	if (len < sizeof(struct DNS_HEADER))
		goto err;

	dns = (struct DNS_HEADER*) buf;

	printf("The response contains:\n");
	printf("%d Questions.\n", ntohs(dns->q_count));
	printf("%d Answers.\n", ntohs(dns->ans_count));
	printf("%d Authoritative Servers.\n", ntohs(dns->auth_count));
	printf("%d Additional records.\n\n", ntohs(dns->add_count));
	
	//move ahead of the dns header and the query field
	//reader = &buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname) + 1) + sizeof(struct QUESTION)];
	reader = &buf[sizeof(struct DNS_HEADER)];

	//Start reading answers
	printf("Questions Records: %d\n", ntohs(dns->q_count));
	for (i = 0; i < ntohs(dns->q_count); i ++) {
		reader += readName(reader, buf, name, end);
		qinfo = (struct QUESTION *)reader;
		reader = reader + sizeof(struct QUESTION);
		if (reader > end)
			goto err;

		printf("Name: %s Type: %d\n", name, ntohs(qinfo->qtype));
	}
	printf("\n");

	printf("Answer Records: %d\n", ntohs(dns->ans_count));
	for (i = 0; i < ntohs(dns->ans_count); i++) {
		reader += readName(reader, buf, name, end);
		resource = (struct R_DATA*)(reader);
		reader = reader + sizeof(struct R_DATA);
		if (reader > end)
			goto err;

		printf("Name: %s Type: %d ", name, ntohs(resource->type));

		if (ntohs(resource->type) == T_A || ntohs(resource->type) == T_AAAA) { //if its an ipv4 address
			if (reader + ntohs(resource->data_len) > end)
				goto err;
			printf("IPv4: %d.%d.%d.%d", NIPQUAD(reader));
			reader = reader + ntohs(resource->data_len);
		} else {
			reader += readName(reader, buf, rdata, end);
			if (reader > end)
				goto err;
			if (ntohs(resource->type) == T_CNAME)
				printf("CNAME: %s", rdata);
		}
		printf("\n");
	}
	printf("\n");

	//read authorities
	printf("Authoritive Records: %d\n", ntohs(dns->auth_count));
	for(i = 0; i < ntohs(dns->auth_count); i++) {
		reader += readName(reader, buf, name, end);
		resource = (struct R_DATA*)(reader);
		reader += sizeof(struct R_DATA);
		if (reader > end)
			goto err;

		reader += readName(reader, buf, rdata, end);
		if (reader > end)
			goto err;

		printf("Name: %s Type: %d ", name, ntohs(resource->type));

		if (ntohs(resource->type) == T_NS) {
			printf("nameserver: %s", rdata);
		}
		printf("\n");
	}
	printf("\n");

	//read additional
	printf("Additional Records: %d\n", ntohs(dns->add_count));
	for(i = 0; i < ntohs(dns->add_count); i++) {
		reader += readName(reader, buf, name, end);
		resource = (struct R_DATA*)(reader);
		reader += sizeof(struct R_DATA);
		if (reader > end)
			goto err;

		printf("Name: %s Type: %d ", name, ntohs(resource->type));

		if (ntohs(resource->type) == T_A || ntohs(resource->type) == T_AAAA) {
			if (reader + ntohs(resource->data_len) > end)
				goto err;
			printf("IPv4: %d.%d.%d.%d", NIPQUAD(reader));
			reader = reader + ntohs(resource->data_len);
		} else {
			reader += readName(reader, buf, rdata, end);
			if (reader > end)
				goto err;
		}
		printf("\n");
	}
	printf("\n\n");
	return 0;
err:
	printf("\n\n");
	return -1;
}

void *recvPacket(void *arg)
{
	int fd = *((int *)arg);
	struct sockaddr_in dest;
	unsigned char buf[65536];
	int s, len;

	while (1) {
		//Receive the answer
		s = sizeof(dest);
		if ((len = recvfrom(fd, buf, 65536, 0, (struct sockaddr*)&dest, (socklen_t*)&s)) < 0) {
			perror("recvfrom failed");
		}
		printf("recv Done. len=%d\n", len);
		if (expBuf(buf, len)) {
			printf("exp err\n");
		}
	}
}

/*
 * Get the DNS servers from /etc/resolv.conf file on Linux
 */
void get_dns_servers(char dns_servers[])
{
	FILE *fp;
	char line[200], *p;
	if ((fp = fopen("/etc/resolv.conf", "r")) == NULL) {
		printf("Failed opening /etc/resolv.conf file \n");
	}

	while (fgets(line, 200, fp)) {
		if (line[0] == '#') {
			continue;
		}
		if (strncmp(line, "nameserver", 10) == 0) {
			p = strtok(line, " ");
			p = strtok(NULL, " ");

			//p now is the dns ip :)
			//????
		}
	}

	strcpy(dns_servers, "127.0.1.1");
}

int main(int argc, char *argv[])
{
	int fd;
	struct sockaddr_in dest;
	unsigned char hostname[100];
	pthread_t tid;

	char dns_servers[100];

	//Get the DNS servers from the resolv.conf file
	get_dns_servers(dns_servers);

	dest.sin_family = AF_INET;
	dest.sin_port = htons(53);
	dest.sin_addr.s_addr = inet_addr(dns_servers);

	fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

	if (pthread_create(&tid, NULL, recvPacket, (void *)&fd)) {
		printf("pthread err\n");
		exit(-1);
	}

	while (1) {
		printf("Enter Hostname to Lookup: ");
		scanf("%s", hostname);
		sendPacket(fd, &dest, hostname, T_A);
		usleep(500000);
	}

	pthread_join(tid, NULL);
	return 0;
}

← Older Blog Archives Newer →