首页    技术博客    PHP教程    数据库技术    前端开发   HTML5    Nginx    php论坛
新用户注册 | 会员登录
加入会员,解锁专属内容
取消
热门标签 | HotTags
当前位置:  开发笔记 > 编程语言 > 正文

网络过滤器钩子注册与网络子系统-Netfilterhookregistrationwithnetworkingsubsystem

作者:做条温顺的鱼_169 | 来源:互联网 | 2023-10-10 19:19
WhileexploringnetfilterfunctionalityItriedtowriteasimplenetfiltermoduleandregistereda

While exploring netfilter functionality I tried to write a simple netfilter module and registered a hook as follows:

在探索netfilter功能的同时,我尝试编写一个简单的netfilter模块,并注册了一个钩子如下:

    dhcp_nfho.owner             = THIS_MODULE;
    dhcp_nfho.hook              = dhcp_hook_function;
    dhcp_nfho.hooknum           = NF_INET_POST_ROUTING;
    dhcp_nfho.priority          = NF_IP_PRI_FIRST;
    dhcp_nfho.pf            = PF_INET; // not on bridge interface
    nf_register_hook(&dhcp_nfho);

I looked into the code of nf_register_hook in the LXR page: (3.13 version)

我在LXR页面中查看了nf_register_hook的代码:(3.13版本)

int nf_register_hook(struct nf_hook_ops *reg)
 69 {
 70         struct nf_hook_ops *elem;
 71         int err;
 72 
 73         err = mutex_lock_interruptible(&nf_hook_mutex);
 74         if (err <0)
 75                 return err;
 76         list_for_each_entry(elem, &nf_hooks[reg->pf][reg->hooknum], list) {
 77                 if (reg->priority priority)
 78                         break;
 79         }
 80         list_add_rcu(®->list, elem->list.prev);
 81         mutex_unlock(&nf_hook_mutex);
 82 #if defined(CONFIG_JUMP_LABEL)
 83         static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
 84 #endif
 85         return 0;
 86 }

What is this 2D linked list nf_hooks[PF][hooknum]. It looks like for each protocol family there is a list of PRE/INPUT/FORWARD/OUTPUT/POST hooks?

这个二维链表nf_hooks[PF][hooknum]是什么?似乎每个协议族都有一个预/输入/前向/输出/后向钩子的列表?

How is this 2D array used by the netfilter sub system ?

netfilter子系统如何使用这个2D数组?

And is the netfilter subsystem code interacting with the network driver code? (since the hooks are processed in Soft-irq and the network driver also uses soft-irq's to process the packets)?

netfilter子系统代码与网络驱动程序代码交互吗?(因为钩子是在软irq中处理的,网络驱动也使用软irq来处理数据包)?

Where can I find the code that invokes the Netfilter Hooks once a packet is recvd by the driver?

一旦数据包被驱动程序接收,我在哪里可以找到调用Netfilter钩子的代码?

1 个解决方案

#1

2  

You are correct. For each protocol family, there is indeed a list of hooks, which are actually set by the PF itself (eg. NFPROTO_BRIDGE has a BROUTE hooklist, but neither IPv4 or IPv6 does).

你是正确的。对于每个协议族,确实有一个钩子列表,这些钩子实际上是由PF本身设置的(例如)。NFPROTO_BRIDGE有BROUTE hooklist,但IPv4和IPv6都没有)。

When a packet comes in to a logical network interface (ethernet bridge, ethernet interface, etc), it will get passed around the stack. If it is an IPv4 packet, it eventually ip_rcv() will get called. This will call the NF_INET_PRE_ROUTING hooks before continuing on to the packet routing proper. Similarly, ip_output calls the NF_INET_POST_ROUTING hooks before actually sending the packet on its way.

当数据包到达逻辑网络接口(以太网网桥、以太网接口等)时,它将在堆栈中传递。如果它是一个IPv4包,那么最终会调用ip_rcv()。这将调用NF_INET_PRE_ROUTING钩子,然后继续执行包路由。类似地,ip_output在实际发送数据包之前调用NF_INET_POST_ROUTING钩子。

Putting the Netfilter hooks into the main networking code allows the network interface drivers themselves to be blissfully ignorant of the whole process.

将Netfilter钩子放入主网络代码中,可以使网络接口驱动程序本身对整个过程一无所知。

To get a better idea of how this all flows, check out http://lxr.free-electrons.com/source/net/ipv4/ip_input.c and http://lxr.free-electrons.com/source/net/ipv4/ip_output.c. You'll see the NF_HOOK and NF_HOOK_COND macros being called when packets transition to different layers, etc.

要更好地了解这一切是如何流动的,请查看http://lxr.free-electrons.com/source/net/ipv4/ip_input.c和http://lxr.free- electrons.com/source/ipv4/ip_output.c。当包转换到不同层时,您将看到调用NF_HOOK和NF_HOOK_COND宏,等等。


推荐阅读
author-avatar
做条温顺的鱼_169
这个家伙很懒,什么也没留下!
Tags | 热门标签
RankList | 热门文章
PHP1.CN | 中国最专业的PHP中文社区 | DevBox开发工具箱 | json解析格式化 |PHP资讯 | PHP教程 | 数据库技术 | 服务器技术 | 前端开发技术 | PHP框架 | 开发工具 | 在线工具
Copyright © 1998 - 2020 PHP1.CN. All Rights Reserved | 京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有