DNP3 Firewall

Following on from my previous post regarding the implementation of a Linux kernel module for application level Modbus protocol filtering, I have scratched a further itch and implemented a similar Linux kernel module for DNP3. This new filter kernel module – and corresponding patch for iptables 1.6, required in order to allow the specification and manipulation of firewall rules using DNP3 protocol nomenclature – can be found at

The implementation of this filter for DNP3 proved to be a more complex (and in turn, interesting) affair due to the complex, multi-layer structure of the DNP3 packet format and ability for DNP3 fragments to be transmitted across multiple TCP/IP packets.  At this point in time, this filter permits the filtering of DNP3 messages based on station addresses (source and destination) and function codes (such as read, write, cold restart, etc) – This is intended to allow for the implementation of an application firewall rule-set, likely to meet the basic requirements of the majority of intended use-cases.

Continue reading


Modbus Firewall

While my employment has drawn me away from development work and work in the industrial automation space, I have continued to work on a number of smaller projects related to the open source IEC 61131-3 Virtual Machine.  One such project has been the development of a Modbus application protocol network filter for the Linux kernel.

While a Modbus filter for Linux has made available by Venkat Pothamsetty and Matthew Franz previously and provided for download from Sourceforge. The most recent version of this code dated from 2004 however was written for Linux kernel 2.6.16 and no longer compiles against recent Linux kernel versions. To this end, this new filter match module for Modbus has been written and includes Modbus frame matching features beyond that available in the previous work by Pothamsetty and Franz.

This new Modbus filter kernel module – and corresponding patch for iptables 1.6, required in order to allow the specification and manipulation of firewall rules using Modbus protocol nomenclature – can be found at

Continue reading

HOWTO Guides

After having received some correspondence with questions about how elements of the IEC 61131-3 virtual machine operations, I have had the idea that there would be value in my spending some time to write some “how to” documents on the development and usage of the IEC 61131-3 virtual machine.  I would envisage that such documents would aid other developers looking in their employ of the IEC 61131-3 virtual machine, providing a clear road-map for such development.

The question remains however, what topics to cover?  At the outset I would envisage the following topics as having merit:

  • Writing IEC 61131-3 virtual machine drivers;
  • Interfacing I/O with IEC 61131-3 virtual machine drivers;
  • Implementing communication protocols;

I wonder though what topics others would like to see me document in this manner?

Function Blocks

I have just pushed a commit through to Bitbucket for this project which implements function block operations for the IEC 61131-3 virtual machine. While still undergoing testing and further development, the implementation of this functionality addresses a major omission of functionality within the IEC 61131-3 virtual machine to date.

Surprisingly, the major effort associated with this functionality was associated with the implementation of the C library interface, allowing for function blocks to be written in both IEC 61131-3 languages and C, rather than the implementation of function block operations per se.  To date, only the edge detection function blocks (F_TRIG and R_TRIG) have been implemented in the external C library for execution by the IEC 61131-3 virtual machine run-time, but next immediate task will be to extend this implementation to cover all standard function blocks defined within the IEC 61131-3 standard such that these are all immediately available, in the most optimised manner, from within the run-time environment.

Nevertheless, the rudiments of this functionality is now in place and available to be pulled from the git repository on Bitbucket.

Continuing Development

After a short diversion to work on the Modbus protocol interface, work has resumed on the IEC 61131-3 compiler and virtual machine.  This development effort is primarily focused on the implementation of support for function blocks, the primary omission in the scope of IEC 61131-3 support within the project at this point.

Embedded Modbus Library

Building upon the efforts undertaken to implement a primitive Modbus protocol interface for the IEC 61131-3 virtual machine environment, I have spent some time consolidating this development and have released an embedded Modbus slave protocol library.  This protocol library implements support for the most common Modbus operations including:

  • Read coils (function code 1);
  • Read discrete inputs (function code 2);
  • Read holding registers (function code 3);
  • Read input registers (function code 4);
  • Write single coil (function code 5);
  • Write single register (function code 6);
  • Write multiple coils (function code 15);
  • Write multiple registers (function code 16);
  • Write mask register (function code 22); and
  • Read write multiple holding registers (function code 23).

In this initial implementation, this library primary supports Modbus TCP operations – aligned with the initial implementation of Modbus operations on the IEC 61131-3 virtual machine – but there is scope for both Modbus RTU and Modbus ASCII implementations within the code base.  Additionally, this library has been implemented with a keen awareness of portability for different platforms and as such includes distinct APIs for database and target platform integration.

This embedded Modbus slave C library can be obtained from GIT at  Similar to the IEC 61131-3 virtual machine project, this library is licensed under CC BY-NC 4.0.

Modbus Interface

In order to improve accessibility of the IEC 61131-3 virtual machine for external developers, I have committed code which provides a basic Modbus TCP protocol interface for the IEC 61131-3 virtual machine. The protocol was originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Since this time, this protocol has become the de facto standard for communication with a range of industrial devices including programmable logic controllers, data loggers and smart instrumentation.  See and

Medford Modbus Viewer

While this interface is still under development, the basic interface that is in place now allows for 16-bit integer values to be read from the virtual machine environment by external data visualisation packages – The package that I have used for evaluation purposes above is from This interface in turn provides a greater level flexibility for the monitoring of byte code under evaluation within the IEC 61131-3 virtual machine environment.