第16周：阶段项目——基于 Netfilter 的简单防火墙

2026-07-06

字数统计: 3.9k字 | 阅读时长≈ 21分

第16周：阶段项目——基于 Netfilter 的简单防火墙

目标：综合运用前 7 周知识，实现一个带动态规则管理的内核级防火墙。

1. 项目架构设计

1.1 整体架构

┌──────────────────────────────────────────────────────────┐
│                    User Space                             │
│                                                           │
│  ┌─────────────┐    /proc 读写     ┌─────────────────┐  │
│  │ Firewall    │ ◀───────────────▶ │ /proc/fw_control │  │
│  │ CLI Tool    │   netlink send    │  add_ip          │  │
│  │ (fwctl)     │ ────────────────▶ │  del_ip          │  │
│  │             │   netlink recv    │  list            │  │
│  └─────────────┘                   │  stats           │  │
│                                    └─────────────────┘  │
└──────────────────────────────────────────────────────────┘
                         │ 系统调用
                         ▼
┌──────────────────────────────────────────────────────────┐
│                    Kernel Space                           │
│                                                           │
│  ┌─────────────────────────────────────────────────────┐ │
│  │  Netfilter Hook (NF_INET_PRE_ROUTING)               │ │
│  │  ┌───────────┐  ┌───────────┐  ┌────────────────┐  │ │
│  │  │ 黑名单检查 │→ │ 速率限制  │→ │ 日志记录      │  │ │
│  │  │ (RB Tree) │  │ (令牌桶)  │  │ (printk)      │  │ │
│  │  └───────────┘  └───────────┘  └────────────────┘  │ │
│  └─────────────────────────────────────────────────────┘ │
│                                                           │
│  ┌─────────────┐    ┌──────────────┐    ┌─────────────┐ │
│  │ 黑名单 IP   │    │ 速率限制表   │    │ 全局统计    │ │
│  │ 存储(RB树) │    │ (每个 IP 桶) │    │ 计数器      │ │
│  └─────────────┘    └──────────────┘    └─────────────┘ │
└──────────────────────────────────────────────────────────┘
                         │
                         ▼
                  ┌───────────────┐
                  │   网络数据包   │
                  └───────────────┘

1.2 数据结构设计

// firewall.h
#ifndef FIREWALL_H
#define FIREWALL_H

#include <linux/types.h>
#include <linux/rbtree.h>
#include <linux/spinlock.h>
#include <linux/time.h>
#include <linux/hashtable.h>
#include <linux/netfilter.h>

// === 常量 ===
#define MAX_IPS          65536
#define MAX_RULE_NAME    64
#define PROC_NAME        "fw_control"
#define PROC_DIR         "firewall"

// === IP 黑名单条目 ===
struct fw_blacklist_entry {
    __be32              ip;           // 黑名单 IP
    unsigned long       added_time;   // 添加时间
    unsigned long       expire_time;  // 过期时间（0=永不过期）
    char                reason[64];   // 封禁原因
    struct rb_node      node;         // RB 树节点
    struct hlist_node   hnode;        // 哈希节点（快速查找）
};

// === 速率限制条目 ===
struct fw_rate_entry {
    __be32              ip;
    unsigned long       last_check;   // 上次检查时间（jiffies）
    unsigned int        tokens;       // 当前令牌数
    unsigned int        rate;         // 每秒允许包数
    unsigned int        burst;        // 突发容量
    spinlock_t          lock;
    struct hlist_node   hnode;
};

// === 统计信息 ===
struct fw_stats {
    atomic_t       total_packets;     // 总包数
    atomic_t       allowed_packets;   // 放行包数
    atomic_t       dropped_packets;   // 丢弃包数
    atomic_t       blacklisted_drops; // 黑名单拦截
    atomic_t       rate_drops;        // 速率限制拦截
    atomic_t       rule_add_count;    // 规则添加次数
    atomic_t       rule_del_count;    // 规则删除次数
};

// === 防火墙全局状态 ===
struct fw_state {
    // 黑名单 RB 树（按 IP 排序）
    struct rb_root      blacklist_tree;
    spinlock_t          blacklist_lock;

    // 黑名单哈希表（快速查找）
    DECLARE_HASHTABLE(blacklist_hash, 12);  // 4096 个桶

    // 速率限制哈希表
    DECLARE_HASHTABLE(rate_hash, 12);

    // 统计
    struct fw_stats     stats;

    // 配置
    int                 enabled;           // 防火墙是否启用
    int                 default_policy;    // 0=ACCEPT 1=DROP
    unsigned int        rate_limit;        // 全局速率限制（包/秒）
    unsigned int        rate_burst;        // 突发数
};

// === 操作接口 ===
int fw_blacklist_add(__be32 ip, unsigned int ttl, const char *reason);
int fw_blacklist_remove(__be32 ip);
int fw_blacklist_check(__be32 ip);

int fw_rate_check(__be32 ip);

void fw_stats_inc(__u32 counter_type);
void fw_stats_get(struct fw_stats *stats);

#endif

2. 核心模块实现

2.1 黑名单管理

// blacklist.c
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/rbtree.h>
#include <linux/hashtable.h>
#include <linux/string.h>
#include "firewall.h"

static struct fw_state *g_fw;

// 哈希函数
static u32 fw_hash_ip(__be32 ip) {
    return (__force u32)ip;
}

// RB 树比较（用于排序遍历）
static int blacklist_cmp(struct rb_node *a, struct rb_node *b) {
    struct fw_blacklist_entry *ea = rb_entry(a, struct fw_blacklist_entry, node);
    struct fw_blacklist_entry *eb = rb_entry(b, struct fw_blacklist_entry, node);
    if (ea->ip < eb->ip) return -1;
    if (ea->ip > eb->ip) return 1;
    return 0;
}

// 查找（RB 树）
static struct fw_blacklist_entry *blacklist_find_rb(__be32 ip) {
    struct rb_node *node = g_fw->blacklist_tree.rb_node;
    while (node) {
        struct fw_blacklist_entry *entry = rb_entry(node, struct fw_blacklist_entry, node);
        if (ip < entry->ip)
            node = node->rb_left;
        else if (ip > entry->ip)
            node = node->rb_right;
        else
            return entry;
    }
    return NULL;
}

// 查找（哈希表，快速）
static struct fw_blacklist_entry *blacklist_find_hash(__be32 ip) {
    struct fw_blacklist_entry *entry;
    u32 hash = fw_hash_ip(ip);

    hash_for_each_possible(g_fw->blacklist_hash, entry, hnode, hash) {
        if (entry->ip == ip)
            return entry;
    }
    return NULL;
}

// 添加 IP 到黑名单
int fw_blacklist_add(__be32 ip, unsigned int ttl, const char *reason) {
    struct fw_blacklist_entry *entry;
    unsigned long flags;
    u32 hash;

    // 检查是否已存在
    entry = blacklist_find_hash(ip);
    if (entry) {
        // 更新过期时间
        spin_lock_irqsave(&g_fw->blacklist_lock, flags);
        entry->expire_time = ttl ? (jiffies + ttl * HZ) : 0;
        strncpy(entry->reason, reason, sizeof(entry->reason) - 1);
        spin_unlock_irqrestore(&g_fw->blacklist_lock, flags);
        return 0;  // 已存在，更新
    }

    // 创建新条目
    entry = kmalloc(sizeof(*entry), GFP_KERNEL);
    if (!entry) return -ENOMEM;

    memset(entry, 0, sizeof(*entry));
    entry->ip = ip;
    entry->added_time = jiffies;
    entry->expire_time = ttl ? (jiffies + ttl * HZ) : 0;
    strncpy(entry->reason, reason, sizeof(entry->reason) - 1);

    // 加入 RB 树
    spin_lock_irqsave(&g_fw->blacklist_lock, flags);
    rb_insert(&entry->node, &g_fw->blacklist_tree, blacklist_cmp);

    // 加入哈希表
    hash = fw_hash_ip(ip);
    hash_add(g_fw->blacklist_hash, &entry->hnode, hash);

    spin_unlock_irqrestore(&g_fw->blacklist_lock, flags);

    atomic_inc(&g_fw->stats.rule_add_count);
    printk(KERN_INFO "FW: Added %pI4 to blacklist (%s)\n", &ip, reason);
    return 0;
}

// 移除黑名单
int fw_blacklist_remove(__be32 ip) {
    struct fw_blacklist_entry *entry;
    unsigned long flags;

    entry = blacklist_find_hash(ip);
    if (!entry) return -ENOENT;

    spin_lock_irqsave(&g_fw->blacklist_lock, flags);

    // 从 RB 树移除
    rb_erase(&entry->node, &g_fw->blacklist_tree);

    // 从哈希表移除
    hash_del(&entry->hnode);

    spin_unlock_irqrestore(&g_fw->blacklist_lock, flags);

    printk(KERN_INFO "FW: Removed %pI4 from blacklist\n", &ip);
    kfree(entry);

    atomic_inc(&g_fw->stats.rule_del_count);
    return 0;
}

// 检查 IP 是否在黑名单
int fw_blacklist_check(__be32 ip) {
    struct fw_blacklist_entry *entry;
    unsigned long flags;
    int found = 0;

    entry = blacklist_find_hash(ip);
    if (!entry) return 0;

    spin_lock_irqsave(&g_fw->blacklist_lock, flags);

    // 检查是否过期
    if (entry->expire_time && time_after(jiffies, entry->expire_time)) {
        // 过期了，移除
        rb_erase(&entry->node, &g_fw->blacklist_tree);
        hash_del(&entry->hnode);
        spin_unlock_irqrestore(&g_fw->blacklist_lock, flags);
        printk(KERN_INFO "FW: Expired %pI4\n", &ip);
        kfree(entry);
        return 0;
    }

    found = 1;
    spin_unlock_irqrestore(&g_fw->blacklist_lock, flags);

    return found;
}

2.2 速率限制（Token Bucket）

// rate_limiter.c
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/hashtable.h>
#include <linux/spinlock.h>
#include <linux/jiffies.h>

// 每个 IP 一个令牌桶
struct fw_rate_entry {
    __be32              ip;
    unsigned long       last_check;   // 上次令牌填充时间
    unsigned int        tokens;       // 当前令牌数
    unsigned int        rate;         // 每秒令牌生成速率
    unsigned int        burst;        // 桶最大容量
    spinlock_t          lock;
    struct hlist_node   hnode;
};

// 检查是否允许通过（返回 1=允许 0=限速）
int fw_rate_check(__be32 ip) {
    struct fw_rate_entry *entry;
    unsigned long now;
    unsigned long flags;
    int allowed = 1;
    u32 hash;

    hash = (__force u32)ip;

    hash_for_each_possible(g_fw->rate_hash, entry, hnode, hash) {
        if (entry->ip == ip) {
            // 找到已有条目
            spin_lock_irqsave(&entry->lock, flags);
            now = jiffies;

            // 计算经过时间和新令牌
            unsigned long elapsed = now - entry->last_check;
            unsigned int new_tokens = (elapsed * entry->rate) / HZ;

            entry->tokens = min(entry->tokens + new_tokens, entry->burst);
            entry->last_check = now;

            if (entry->tokens > 0) {
                entry->tokens--;
                allowed = 1;
            } else {
                allowed = 0;
                atomic_inc(&g_fw->stats.rate_drops);
            }

            spin_unlock_irqrestore(&entry->lock, flags);
            return allowed;
        }
    }

    // 新 IP，创建条目
    entry = kmalloc(sizeof(*entry), GFP_ATOMIC);
    if (!entry) return 1;  // 内存不足时放行

    memset(entry, 0, sizeof(*entry));
    entry->ip = ip;
    entry->last_check = jiffies;
    entry->rate = g_fw->rate_limit ? g_fw->rate_limit : 100;
    entry->burst = g_fw->rate_burst ? g_fw->rate_burst : 50;
    spin_lock_init(&entry->lock);

    hash_add(g_fw->rate_hash, &entry->hnode, hash);
    return 1;  // 新 IP 放行
}

3. 完整防火墙模块

// firewall.c
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
#include <linux/slab.h>
#include <linux/rbtree.h>
#include <linux/hashtable.h>
#include <linux/spinlock.h>
#include <linux/jiffies.h>
#include <linux/time.h>

#include "firewall.h"

// ============== 全局状态 ==============

static struct fw_state fw_g;

static void fw_state_init(void) {
    memset(&fw_g, 0, sizeof(fw_g));

    fw_g.blacklist_tree = RB_ROOT;
    spin_lock_init(&fw_g.blacklist_lock);
    hash_init(fw_g.blacklist_hash);

    hash_init(fw_g.rate_hash);

    atomic_set(&fw_g.stats.total_packets, 0);
    atomic_set(&fw_g.stats.allowed_packets, 0);
    atomic_set(&fw_g.stats.dropped_packets, 0);
    atomic_set(&fw_g.stats.blacklisted_drops, 0);
    atomic_set(&fw_g.stats.rate_drops, 0);

    fw_g.enabled = 1;
    fw_g.default_policy = 0;  // 默认放行
    fw_g.rate_limit = 100;    // 默认 100 包/秒
    fw_g.rate_burst = 50;     // 突发 50
}

// ============== Netfilter Hook ==============

static unsigned int fw_hook(void *priv, struct sk_buff *skb,
                            const struct nf_hook_state *state) {
    struct iphdr *iph;

    if (!skb) return NF_ACCEPT;

    // 更新统计
    atomic_inc(&fw_g.stats.total_packets);

    // 防火墙关闭时放行
    if (!fw_g.enabled) {
        atomic_inc(&fw_g.stats.allowed_packets);
        return NF_ACCEPT;
    }

    // 获取 IP 头
    iph = ip_hdr(skb);
    if (!iph) {
        atomic_inc(&fw_g.stats.allowed_packets);
        return NF_ACCEPT;
    }

    // === 1. 黑名单检查 ===
    if (fw_blacklist_check(iph->saddr)) {
        atomic_inc(&fw_g.stats.dropped_packets);
        atomic_inc(&fw_g.stats.blacklisted_drops);
        printk(KERN_INFO "FW: DROP %pI4 -> %pI4 (blacklisted)\n",
               &iph->saddr, &iph->daddr);
        return NF_DROP;
    }

    // === 2. 速率限制 ===
    if (!fw_rate_check(iph->saddr)) {
        atomic_inc(&fw_g.stats.dropped_packets);
        atomic_inc(&fw_g.stats.rate_drops);
        return NF_DROP;
    }

    // === 3. 默认策略 ===
    atomic_inc(&fw_g.stats.allowed_packets);
    return fw_g.default_policy ? NF_DROP : NF_ACCEPT;
}

// ============== 注册 Hook ==============

static struct nf_hook_ops fw_ops = {
    .hook     = fw_hook,
    .pf       = NFPROTO_IPV4,
    .hooknum  = NF_INET_PRE_ROUTING,
    .priority = -300,   // 最早执行
};

// ============== /proc 接口 ==============

// 显示防火墙状态和统计
static int proc_show(struct seq_file *m, void *v) {
    struct fw_blacklist_entry *entry;
    struct rb_node *node;
    unsigned long flags;

    seq_printf(m, "=== Firewall Status ===\n");
    seq_printf(m, "Enabled: %s\n", fw_g.enabled ? "YES" : "NO");
    seq_printf(m, "Default Policy: %s\n",
               fw_g.default_policy ? "DROP" : "ACCEPT");
    seq_printf(m, "Rate Limit: %u pps, burst: %u\n",
               fw_g.rate_limit, fw_g.rate_burst);

    seq_printf(m, "\n=== Statistics ===\n");
    seq_printf(m, "Total packets:   %d\n",
               atomic_read(atomic_read(&fw_g.stats.total_packets)fw_g.stats.total_packets));
    seq_printf(m, "Allowed:         %d\n",
               atomic_read(atomic_read(&fw_g.stats.allowed_packets)fw_g.stats.allowed_packets));
    seq_printf(m, "Dropped:         %d\n",
               atomic_read(atomic_read(&fw_g.stats.dropped_packets)fw_g.stats.dropped_packets));
    seq_printf(m, "  - Blacklist:   %d\n",
               atomic_read(atomic_read(&fw_g.stats.blacklisted_drops)fw_g.stats.blacklisted_drops));
    seq_printf(m, "  - Rate limit:  %d\n",
               atomic_read(atomic_read(&fw_g.stats.rate_drops)fw_g.stats.rate_drops));
    seq_printf(m, "Rules added:     %d\n",
               atomic_read(atomic_read(&fw_g.stats.rule_add_count)fw_g.stats.rule_add_count));
    seq_printf(m, "Rules deleted:   %d\n",
               atomic_read(atomic_read(&fw_g.stats.rule_del_count)fw_g.stats.rule_del_count));

    // 列出黑名单
    seq_printf(m, "\n=== Blacklist (%d entries) ===\n",
               fw_g.blacklist_tree.rb_node ? 1 : 0);
    seq_printf(m, "%-15s %-10s %-20s %-10s\n",
               "IP", "TTL", "Reason", "Added");

    spin_lock_irqsave(&fw_g.blacklist_lock, flags);
    for (node = rb_first(&fw_g.blacklist_tree); node;
         node = rb_next(node)) {
        struct fw_blacklist_entry *e = rb_entry(node, struct fw_blacklist_entry, node);
        unsigned long age = (jiffies - e->added_time) / HZ;
        seq_printf(m, "%-15pI4 %-10lu %-20s %-10lus ago\n",
                   &e->ip,
                   e->expire_time ? (e->expire_time - jiffies) / HZ : 0,
                   e->reason, age);
    }
    spin_unlock_irqrestore(&fw_g.blacklist_lock, flags);

    seq_printf(m, "\nUsage:\n");
    seq_printf(m, "  echo 'a IP ttl reason' > /proc/firewall/fw_control  # add\n");
    seq_printf(m, "  echo 'd IP'           > /proc/firewall/fw_control  # del\n");
    seq_printf(m, "  echo 'e 1|0'          > /proc/firewall/fw_control  # enable/disable\n");
    seq_printf(m, "  echo 'p 0|1'          > /proc/firewall/fw_control  # policy\n");
    seq_printf(m, "  echo 'r rate burst'   > /proc/firewall/fw_control  # rate limit\n");
    seq_printf(m, "  echo 'c'              > /proc/firewall/fw_control  # clear stats\n");

    return 0;
}

// 解析命令
static ssize_t proc_write(struct file *file, const char __user *buf,
                          size_t count, loff_t *ppos) {
    char kbuf[128];
    __be32 ip;
    char op;
    int val;

    if (count >= sizeof(kbuf)) return -EINVAL;
    if (copy_from_user(kbuf, buf, count)) return -EFAULT;
    kbuf[count] = '\0';

    op = kbuf[0];

    switch (op) {
        case 'a': {  // add IP [ttl] [reason]
            unsigned int ttl = 0;
            char reason[64] = "manual";
            sscanf(kbuf, "a %u %u %63s", (unsigned *)&ip, &ttl, reason);
            fw_blacklist_add(ip, ttl, reason);
            break;
        }
        case 'd': {  // del IP
            sscanf(kbuf, "d %u", (unsigned *)&ip);
            fw_blacklist_remove(ip);
            break;
        }
        case 'e': {  // enable 0|1
            sscanf(kbuf, "e %d", &val);
            fw_g.enabled = val;
            printk(KERN_INFO "FW: %s\n", val ? "enabled" : "disabled");
            break;
        }
        case 'p': {  // policy 0=accept 1=drop
            sscanf(kbuf, "p %d", &val);
            fw_g.default_policy = val;
            printk(KERN_INFO "FW: policy=%s\n",
                   val ? "DROP" : "ACCEPT");
            break;
        }
        case 'r': {  // rate limit pps burst
            unsigned int rate, burst;
            sscanf(kbuf, "r %u %u", &rate, &burst);
            fw_g.rate_limit = rate;
            fw_g.rate_burst = burst;
            printk(KERN_INFO "FW: rate=%u burst=%u\n", rate, burst);
            break;
        }
        case 'c': {  // clear stats
            atomic_set(&fw_g.stats.total_packets, 0);
            atomic_set(&fw_g.stats.allowed_packets, 0);
            atomic_set(&fw_g.stats.dropped_packets, 0);
            atomic_set(&fw_g.stats.blacklisted_drops, 0);
            atomic_set(&fw_g.stats.rate_drops, 0);
            printk(KERN_INFO "FW: stats cleared\n");
            break;
        }
        default:
            return -EINVAL;
    }

    return count;
}

static int proc_open(struct inode *inode, struct file *file) {
    return single_open(file, proc_show, NULL);
}

static const struct proc_ops proc_fops = {
    .proc_read  = seq_read,
    .proc_write = proc_write,
    .proc_open  = proc_open,
    .proc_lseek = seq_lseek,
    .proc_release = single_release,
};

// ============== 模块生命周期 ==============

static int __init fw_init(void) {
    int ret;

    fw_state_init();

    // 创建 /proc 目录和文件
    proc_create("fw_control", 0666,
                proc_mkdir(PROC_DIR, NULL), &proc_fops);

    // 注册 netfilter hook
    ret = nf_register_net_hook(&init_net, &fw_ops);
    if (ret) {
        printk(KERN_ERR "FW: Failed to register nf hook: %d\n", ret);
        remove_proc_entry(PROC_DIR, NULL);
        return ret;
    }

    printk(KERN_INFO "======================================\n");
    printk(KERN_INFO "  Firewall module loaded\n");
    printk(KERN_INFO "  Interface: /proc/%s/%s\n", PROC_DIR, PROC_NAME);
    printk(KERN_INFO "======================================\n");
    return 0;
}

static void __exit fw_exit(void) {
    struct rb_node *node;
    struct fw_blacklist_entry *entry;
    int i;

    // 清理黑名单
    node = rb_first(&fw_g.blacklist_tree);
    while (node) {
        entry = rb_entry(node, struct fw_blacklist_entry, node);
        node = rb_next(node);
        rb_erase(&entry->node, &fw_g.blacklist_tree);
        hash_del(&entry->hnode);
        kfree(entry);
    }

    // 清理速率限制表
    struct hlist_node *tmp;
    struct fw_rate_entry *rentry;
    hash_for_each_safe(fw_g.rate_hash, i, tmp, rentry, hnode) {
        hash_del(&rentry->hnode);
        kfree(rentry);
    }

    nf_unregister_net_hook(&init_net, &fw_ops);
    remove_proc_entry(PROC_DIR, NULL);

    printk(KERN_INFO "FW: Unloaded. Final stats:\n");
    printk(KERN_INFO "  Total: %d, Allowed: %d, Dropped: %d\n",
           atomic_read(&fw_g.stats.total_packets),
           atomic_read(&fw_g.stats.allowed_packets),
           atomic_read(&fw_g.stats.dropped_packets));
}

module_init(fw_init);
module_exit(fw_exit);
MODULE_LICENSE("GPL");

4. 用户态控制程序

// fwctl.c — 用户态防火墙控制工具
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>

#define PROC_PATH "/proc/firewall/fw_control"

void print_usage(const char *prog) {
    fprintf(stderr, "Usage:\n");
    fprintf(stderr, "  %s add <IP> [ttl] [reason]    Add IP to blacklist\n", prog);
    fprintf(stderr, "  %s del <IP>                    Remove IP from blacklist\n", prog);
    fprintf(stderr, "  %s show                        Show status\n", prog);
    fprintf(stderr, "  %s on                          Enable firewall\n", prog);
    fprintf(stderr, "  %s off                         Disable firewall\n", prog);
    fprintf(stderr, "  %s policy <0|1>                Set default policy\n", prog);
    fprintf(stderr, "  %s rate <pps> <burst>          Set rate limit\n", prog);
    fprintf(stderr, "  %s clear                       Clear stats\n");
}

int cmd_add(int argc, char *argv[]) {
    FILE *fp = fopen(PROC_PATH, "w");
    if (!fp) { perror("fopen"); return 1; }

    int ttl = argc > 3 ? atoi(argv[3]) : 0;
    const char *reason = argc > 4 ? argv[4] : "manual";

    fprintf(fp, "a %d %d %s\n", inet_addr(argv[2]), ttl, reason);
    fclose(fp);
    printf("Added %s to blacklist\n", argv[2]);
    return 0;
}

int cmd_del(int argc, char *argv[]) {
    FILE *fp = fopen(PROC_PATH, "w");
    if (!fp) { perror("fopen"); return 1; }

    fprintf(fp, "d %d\n", inet_addr(argv[2]));
    fclose(fp);
    printf("Removed %s from blacklist\n", argv[2]);
    return 0;
}

int cmd_show() {
    char buf[4096];
    ssize_t n;
    FILE *fp = fopen(PROC_PATH, "r");
    if (!fp) { perror("fopen"); return 1; }

    while ((n = fread(buf, 1, sizeof(buf) - 1, fp)) > 0) {
        buf[n] = '\0';
        fputs(buf, stdout);
    }
    fclose(fp);
    return 0;
}

int main(int argc, char *argv[]) {
    if (argc < 2) {
        print_usage(argv[0]);
        return 1;
    }

    if (strcmp(argv[1], "add") == 0) {
        if (argc < 3) { print_usage(argv[0]); return 1; }
        return cmd_add(argc, argv);
    }
    if (strcmp(argv[1], "del") == 0) {
        if (argc < 3) { print_usage(argv[0]); return 1; }
        return cmd_del(argc, argv);
    }
    if (strcmp(argv[1], "show") == 0 || strcmp(argv[1], "status") == 0) {
        return cmd_show();
    }
    if (strcmp(argv[1], "on") == 0) {
        FILE *fp = fopen(PROC_PATH, "w");
        fprintf(fp, "e 1\n");
        fclose(fp);
        printf("Firewall enabled\n");
        return 0;
    }
    if (strcmp(argv[1], "off") == 0) {
        FILE *fp = fopen(PROC_PATH, "w");
        fprintf(fp, "e 0\n");
        fclose(fp);
        printf("Firewall disabled\n");
        return 0;
    }
    if (strcmp(argv[1], "policy") == 0) {
        FILE *fp = fopen(PROC_PATH, "w");
        int policy = atoi(argv[2]);
        fprintf(fp, "p %d\n", policy);
        fclose(fp);
        printf("Policy set to %s\n", policy ? "DROP" : "ACCEPT");
        return 0;
    }
    if (strcmp(argv[1], "rate") == 0) {
        FILE *fp = fopen(PROC_PATH, "w");
        int rate = atoi(argv[2]);
        int burst = atoi(argv[3]);
        fprintf(fp, "r %d %d\n", rate, burst);
        fclose(fp);
        printf("Rate limit: %d pps, burst: %d\n", rate, burst);
        return 0;
    }
    if (strcmp(argv[1], "clear") == 0) {
        FILE *fp = fopen(PROC_PATH, "w");
        fprintf(fp, "c\n");
        fclose(fp);
        printf("Stats cleared\n");
        return 0;
    }

    print_usage(argv[0]);
    return 1;
}

# 编译用户态工具
gcc -o fwctl fwctl.c

# 使用
./fwctl show              # 查看状态
./fwctl add 192.168.1.100 60 "scanning"  # 封禁 60 秒
./fwctl del 192.168.1.100  # 解封
./fwctl on                 # 启用防火墙
./fwctl policy 1           # 默认 DROP
./fwctl rate 100 50        # 限速 100 pps，突发 50
./fwctl clear              # 清空统计

5. 性能影响评估

5.1 基准测试

#!/bin/bash
# benchmark_fw.sh

echo "=== Firewall Performance Benchmark ==="

# 关闭防火墙
sudo rmmod firewall 2>/dev/null

# 基线测试（无防火墙）
echo "--- Baseline (no firewall) ---"
iperf3 -c localhost -t 10 -P 4 2>&1 | grep "sender"

# 加载防火墙
sudo insmod firewall.ko
sleep 1

# 测试（防火墙开启，默认放行）
echo "--- Firewall ON (default ACCEPT) ---"
iperf3 -c localhost -t 10 -P 4 2>&1 | grep "sender"

# 测试（防火墙开启，默认放行，添加一些黑名单）
echo "--- Firewall ON + 1000 blacklist ---"
for i in $(seq 1 1000); do
    ./fwctl add $((3232235776 + i)) 300 "test" > /dev/null 2>&1
done
iperf3 -c localhost -t 10 -P 4 2>&1 | grep "sender"

# 清理
for i in $(seq 1 1000); do
    ./fwctl del $((3232235776 + i)) > /dev/null 2>&1
done
sudo rmmod firewall

5.2 预期性能影响

基准（单连接 iperf TCP）：
  - 10Gbps 网卡，无防火墙：≈ 9.4 Gbps
  - + 防火墙 PREROUTING 放行：≈ 9.3 Gbps（~1% 影响）
  - + 1000 条黑名单 RB 树：≈ 9.0 Gbps（~4% 影响）
  - + 10000 条黑名单：≈ 8.5 Gbps（~10% 影响）
  - + 默认 DROP 策略：≈ 8.0 Gbps（~15% 影响）

优化方向：
  1. 用 Bloom Filter 替代精确匹配（内存换速度）
  2. 速率限制用 per-CPU 变量（减少锁竞争）
  3. 用 RCU 替代 spinlock（读多写少的场景）
  4. 批量处理（batch processing）

6. 扩展方向

✓ IPv6 支持（NF_INET6）
✓ 基于端口的过滤
✓ 基于协议的过滤（TCP/UDP/ICMP）
✓ 日志到用户态（netlink / nfnetlink）
✓ 规则持久化（保存到文件）
✓ 连接跟踪集成（查看 conntrack 表）
✓ NAT 支持（SNAT/DNAT）
✓ QoS 限速（tc 集成）
✓ Web 管理界面
✓ 规则匹配优化（Patricia trie for CIDR ranges）

本文作者： CoderSong
本文链接： https://jack-song-gif.github.io/2026/07/06/第16周：阶段项目——基于 Netfilter 的简单防火墙/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！