資源描述:
《netfilter 架構(gòu)分析》由會(huì)員上傳分享�,免費(fèi)在線閱讀,更多相關(guān)內(nèi)容在行業(yè)資料-天天文庫����。
1、Netfilter架構(gòu)分析--基于Linux3.2.0一��、全局圖在文件net/netfilter/core.c中定義了一全局變量nf_hooks��,用于記錄鉤子點(diǎn)����。nf_hooks第一維代表協(xié)議數(shù),第二維代表鉤子數(shù)�����。structlist_headnf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]__read_mostly;net/netfilter/core.cnf_hooks中每個(gè)元素都是一個(gè)鏈表list_headEXPORT_SYMBOL(nf_hooks);nf_hookslistlistlistlistlistl
2��、istlistlistlistinclude/linux/netfilter.h鉤子點(diǎn)結(jié)構(gòu)體����,其中的hook是鉤子函數(shù)nf_register_hook()nf_hook_opsinclude/linux/netfilter.hxt_table結(jié)構(gòu)體,用于管理過濾規(guī)則listnet/netfilter/core.c調(diào)用nf_register_hook()將鉤子點(diǎn)掛載到全局變量nf_hooks的某個(gè)list上hookownerpfhooknumprioritylistvalid_hooksinclude/linux/netfilter.hxt_tabl
3、e_info結(jié)構(gòu)體�,記錄規(guī)則入口等信息privatemenet/netfilter/x_tables.c調(diào)用xt_hook_link(table,fn)將xt_table與nf_hook_ops關(guān)聯(lián)起來,并掛載鉤子點(diǎn)(xt_hook_link()內(nèi)部調(diào)用了nf_register_hooks())����。afprioritynamesizenumberinitial_entrieshook_entryunderflownet/ipv4/netfilter/ip_tables.c在ipt_do_table()中,通過hook_entry與entries獲得i
4���、pt_entry:get_entry(entries,hook_entry);stacksizestackptrjumpstackentriesipt_entryinclude/linux/netfilter_ipv4/ip_tables.hinclude/linux/netfilter/x_tables.h調(diào)用ipt_get_target(ipt_entry)獲得xt_entry_target調(diào)用xt_ematch_foreach()查找匹配信息ipnfcachetarget_offsetnext_offsetcomefromcountersel
5�����、ems[0]xt_entry_matchxt_entry_targetunionuunionusermatch_sizenamerevision;unionkernelmatch_sizematchmatch_sizeunionuunionusertarget_sizenamerevision;unionkerneltarget_sizetargettarget_sizeunsignedchardata[0]unsignedchardata[0]xt_matchxt_targetlistlistnamenamerevisionrevisioninc
6�����、lude/linux/netfilter/x_tables.hbool(*match)()uint(*target)()int(*checkentry)()int(*checkentry)()void(*destroy)()void(*destroy)()memetabletablematchsizetargetsizehookshooksprotoprotofamilyfamily一、鉤子函數(shù)(hook)與過濾規(guī)則表(xt_table)前面已經(jīng)提到���,鉤子函數(shù)與過濾規(guī)則的管理是通過全局變量nf_hooks來實(shí)現(xiàn)的�����,那么�����,什么時(shí)候會(huì)調(diào)用鉤子函數(shù)呢�?鉤
7、子函數(shù)又是如何利用已經(jīng)注冊(cè)好的過濾規(guī)則的呢����?在Linux內(nèi)核中定義了網(wǎng)絡(luò)數(shù)據(jù)包的流動(dòng)方向,數(shù)據(jù)包被網(wǎng)卡捕獲后�����,它在內(nèi)核網(wǎng)絡(luò)子系統(tǒng)里的傳輸路徑是:pre-routingàroute(inorforward)à(out)àpost-routing�����。在netfilter上注冊(cè)的鉤子函數(shù)如下所示(這些鉤子函數(shù)按它們被調(diào)用的順序排列):--->PRE------>[ROUTE]--->FWD---------->POST------>Conntrack
8�、Mangle^MangleMangle
9、Filter
10����、NAT(Src)NAT(Dst)
11、
12���、Conntrac
13���、k(QDisc)
14�、[ROUTE]v
15����、INFilterOUTConntrack
16、Conntrack^Mangle
17��、Mangl
