Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "how to achieve Netfilter". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1. Netfilter mount point

Let's first review the principle of Netfilter. Netfilter processes and filters data packets by registering hook functions at different stages of the network protocol stack, as shown in figure 1:

(figure 1 Netfilter mount point)

In figure 1, the blue part is where the Netfilter mounts the hook function, so Netfilter defines five constants to represent these five locations, as shown in the following code:

/ / File: include/linux/netfilter_ipv4.h # define NF_IP_PRE_ROUTING 0 # define NF_IP_LOCAL_IN 1 # define NF_IP_FORWARD 2 # define NF_IP_LOCAL_OUT 3 # define NF_IP_POST_ROUTING 4

The constant in the above code corresponds to the position where the hook function is mounted in figure 1, such as the constant NF_IP_PRE_ROUTING corresponds to the PRE_ROUTING in figure 1.

2. Netfilter hook function chain

As mentioned earlier, Netfilter filters and processes packets by mounting hook functions at different locations in the network protocol, and multiple hook functions can be mounted at each mount point, so Netfilter uses a linked list structure to store these hook functions, as shown in figure 2:

(figure 2 Netfilter hook function chain)

As shown in figure 2, each mount point of Netfilter uses a linked list to store a list of hook functions. In the kernel, an array called nf_hooks is defined to store these linked lists, as shown in the following code:

/ / File: net/core/netfilter.c struct list_head nf_hooks [32] [5]

The struct list_head structure is the general linked list structure of the kernel.

The nf_hooks variable is defined as a two-dimensional array, the first dimension is used to represent different protocols (such as IPv4 or IPv6, this article only discusses IPv4, so we can think of nf_hooks as an one-dimensional array), while the second dimension is used to represent different mount points, such as the five mount points in figure 2.

Third, hook function

Let's take a look at how hook functions are stored in Netfilter.

As we mentioned earlier, Netfilter stores hook functions through linked lists, while hook functions are described by the structure nf_hook_ops, which is defined as follows:

/ / File: include/linux/netfilter.h struct nf_hook_ops {struct list_head list; / / connect the hook function nf_hookfn * hook; / / hook function pointer int pf; / / protocol type int hooknum; / / chain where the hook function belongs to int priority; / / priority}

Let's explain the fields of the nf_hook_ops structure:

List: used to link hook functions at the same mount point.

Hook: hook function pointer, which is the function used to process or filter packets.

Pf: protocol type, used to specify where the hook function is mounted in the first dimension of the nf_hooks array, for example, the IPv4 protocol is set to PF_INET.

Hooknum: the chain (mount point) of the hook function, such as NF_IP_PRE_ROUTING.

Priority: the priority of the hook function, which is used to manage the order in which hook functions are called.

The hook field whose type is nf_hookfn,nf_hookfn is defined as follows:

/ / File: include/linux/netfilter.h typedef unsigned int nf_hookfn (unsigned int hooknum, struct sk_buff * * skb, const struct net_device * in, const struct net_device * out, int (* okfn) (struct sk_buff *))

Let's also introduce the role of each parameter of the nf_hookfn function:

Hooknum: the chain (mount point) of the hook function, such as NF_IP_PRE_ROUTING.

Skb: the packet object is the packet to be processed or filtered.

In: the device object that receives the packet.

Out: the device object that sends the packet.

Okfn: when all the hook functions at the mount point have processed the packet, this function will be called to proceed to the next step of processing the packet.

Register the hook function

After defining a hook function structure, you need to call the nf_register_hook function to register it in the nf_hooks array. The nf_register_hook function is implemented as follows:

/ / File: net/core/netfilter.c int nf_register_hook (struct nf_hook_ops * reg) {struct list_head * I; br_write_lock_bh (BR_NETPROTO_LOCK) / / A pair of nf_hooks is locked / / the priority field indicates the priority of the hook function / / so use the priority field to find the appropriate location of the hook function for (I = nf_ hooks [reg-> pf] [reg- > hooknum] .next; I! = & nf_ hooks [reg-> pf] [reg- > hooknum]; I = I-> next) {if (reg- > priority)

Priority) break;} list_add (& reg- > list, I-> prev); / / add hook functions to the linked list br_write_unlock_bh (BR_NETPROTO_LOCK); / / unlock return 0;} by a pair of nf_hooks

The implementation of the nf_register_hook function is relatively simple. The steps are as follows:

Lock nf_hooks to protect nf_hooks variables from concurrency competition.

The correct position in the linked list of hook functions is found by the priority of the hook function.

Insert the hook function into the linked list.

Unlock the nf_hooks.

The insertion process is shown in figure 3:

(figure 3 hook function insertion process)

As shown in figure 3, we want to insert the hook function with priority 20 into the PRE_ROUTING chain, while there are already two hook functions in the PRE_ROUTING chain, one with priority 10 and the other with priority 30.

By comparing with the priority of the hook function in the linked list, it is found that the new hook function should be inserted after the hook function with priority 10, so as shown in figure 3, the new hook function is inserted after the hook function with priority 10.

Trigger the call to the hook function

Hook functions have been saved on different chains, so when will these hook functions be triggered to process the packet?

To trigger a call to all hook functions at a mount point (chain), you need to use the NF_HOOK macro, which is defined as follows:

/ / File: include/linux/netfilter.h # define NF_HOOK (pf, hook, skb, indev, outdev, okfn)\ (list_empty (& nf_hooks [(pf)] [(hook)])\? (okfn) (skb)\: nf_hook_slow ((pf), (hook), (skb), (indev), (outdev), (okfn)

First, let's introduce the role of each parameter of the NF_HOOK macro:

Pf: protocol type, which is the first dimension of the nf_hooks array. For example, the IPv4 protocol is PF_INET.

Hook: the hook function on which chain (mount point) to call, such as NF_IP_PRE_ROUTING.

Indev: the device object that receives the packet.

Outdev: the device object that sends the packet.

Okfn: when all hook functions on the chain are processed, this function will be called to continue processing the packet.

The implementation of the NF_HOOK macro is also relatively simple, first determine whether the hook function linked list is empty, if it is empty, directly call the okfn function to deal with the data packet, otherwise call the nf_hook_slow function to deal with the data packet. Let's look at the implementation of the nf_hook_slow function:

/ File: net/core/netfilter.c int nf_hook_slow (int pf, unsigned int hook, struct sk_buff * skb, struct net_device * indev, struct net_device * outdev, int (* okfn) (struct sk_buff *)) {struct list_head * elem; unsigned int verdict; int ret = 0; elem = & nf_ hooks [PF] [hook] / / get the hook function linked list to be called / / traverse the hook function linked list, and call the hook function to process the data packet verdict = nf_iterate (& nf_ hooks [PF] [hook], & skb, hook, indev, outdev, & elem, okfn) / / if the processing result is NF_ACCEPT, indicating that the packet has been processed by all hook functions, then the okfn function is called to continue processing the packet / / if the result is NF_DROP, indicating that the packet is rejected, the packet switch (verdict) {case NF_ACCEPT: ret = okfn (skb); break should be discarded. Case NF_DROP: kfree_skb (skb); ret =-EPERM; break;} return ret;}

The implementation of the nf_hook_slow function is relatively simple, and the process is as follows:

First, call the nf_iterate function to traverse the linked list of hook functions, and call the hook function on the linked list to process the data packet.

If the result is NF_ACCEPT, which means that the packet is processed by all hook functions, then the okfn function is called to continue processing the packet.

If the processing result is NF_DROP, the packet is not processed by the hook function and should be discarded.

Since Netfilter calls the hook function on the hook function list by calling the NF_HOOK macro, where does the kernel call the macro?

For example, when a packet enters the ip_rcv function of the IPv4 protocol layer, the NF_HOOK macro is called to process the packet. The code is as follows:

/ / File: net/ipv4/ip_input.c int ip_rcv (struct sk_buff * skb, struct net_device * dev, struct packet_type * pt) {. Return NF_HOOK (PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL, ip_rcv_finish);}

As shown in the code above, the NF_HOOK macro is called in the ip_rcv function to process the input packet, and the hook function chain (mount point) it calls is NF_IP_PRE_ROUTING. Okfn is set to ip_rcv_finish, that is, when all hook functions on the NF_IP_PRE_ROUTING chain successfully process the packet, the ip_rcv_finish function will be called to continue processing the packet.

"how to achieve Netfilter" content is introduced here, thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.