Linux netfilter源码分析(1)

Linux netfilterÔ´Âë·ÖÎö(1)http://staff.ustc.edu.cn/~james/linux/netfilter-1.html

Linux netfilter源码分析(1)

内容基本上来自两篇文章:

《Netfilter源码分析》—（独孤九贱http://www.skynet.org.cn/index.php）

《Linux Netfilter实现机制和扩展技术》——（杨沙洲 国防科技大学计算机学院）

一、   IP报文的接收到hook函数的调用

1.1  ip_input.c    ip_rcv()函数

以接收到的报文为例，类似的还有ip_forward(ip_forward.c)和ip_output(ip_output.c)

int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
{

    struct iphdr *iph;   //定义一个ip报文的数据报头

    u32 len;

    if (skb->pkt_type == PACKET_OTHERHOST)
       goto drop;  //数据包不是发给我们的

    IP_INC_STATS_BH(IPSTATS_MIB_INRECEIVES); //收到数据包统计量加1

    if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)

   {

/* 如果数据报是共享的，则复制一个出来，此时复制而出的已经和socket脱离了关系 */
      IP_INC_STATS_BH(IPSTATS_MIB_INDISCARDS);
      goto out;
   }

   if (!pskb_may_pull(skb, sizeof(struct iphdr)))
     goto inhdr_error;  //对数据报的头长度进行检查，

 

   iph = skb->nh.iph;  //取得数据报的头部位置

  if (iph->ihl < 5 || iph->version != 4)  //版本号或者头长度不对，
    goto inhdr_error; //头长度是以4字节为单位的，所以5表示的是20字节

  if (!pskb_may_pull(skb, iph->ihl*4))
    goto inhdr_error;

 

  if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
     goto inhdr_error; //检查报文的检验和字段

  len = ntohs(iph->tot_len);
 if (skb->len < len || len < (iph->ihl*4))
    goto inhdr_error; //整个报文长度不可能比报头长度小

 if (pskb_trim_rcsum(skb, len))

 { //对数据报进行裁减，这样可以分片发送过来的数据报不会有重复数据
  IP_INC_STATS_BH(IPSTATS_MIB_INDISCARDS);
  goto drop;
 }

   return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL,
         ip_rcv_finish); //通过回调函数调用ip_rcv_finish

inhdr_error:
 IP_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
drop:
        kfree_skb(skb); //丢掉数据报
out:
        return NET_RX_DROP;
}

1.2  include/linux/netfilter.h  NF_HOOK宏

#ifdef CONFIG_NETFILTER_DEBUG

#define NF_HOOK(pf, hook, skb, indev, outdev, okfn)                     \

 nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN)

#define NF_HOOK_THRESH nf_hook_slow

#else

#define NF_HOOK(pf, hook, skb, indev, outdev, okfn)                     \

(list_empty(&nf_hooks[(pf)][(hook)])                                  \

 ? (okfn)(skb)                                                       \

 : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN))

#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh)       \

(list_empty(&nf_hooks[(pf)][(hook)])                                  \

 ? (okfn)(skb)                                                       \

 : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), (thresh)))

#endif

/*    如果nf_hooks[PF_INET][NF_IP_FORWARD]所指向的链表为空（即该钩子上没有挂处理函数），则直接调用okfn；否则，则调用net/core/netfilter.c::nf_hook_slow()转入Netfilter的处理。  */

1.3  net/core/netfilter.c  nf_hook_slow()函数

int nf_hook_slow(int pf, unsigned int hook, struct sk_buff **pskb,
                 struct net_device *indev,
                 struct net_device *outdev,
                 int (*okfn)(struct sk_buff *),
                 int hook_thresh)
{
        struct list_head *elem;
        unsigned int verdict;
        int ret = 0;

        rcu_read_lock();

        /*取得对应的链表首部*/
        elem = &nf_hooks[pf][hook];
next_hook:
        /*调用对应的钩子函数*/
        verdict = nf_iterate(&nf_hooks[pf][hook], pskb, hook, indev,
                             outdev, &elem, okfn, hook_thresh);

        /*判断返回值，做相应的处理*/
if (verdict == NF_ACCEPT || verdict == NF_STOP) {
         ret = 1;    /*前面提到过，返回1，则表示装继续调用okfn函数指针*/
         goto unlock;
    } else if (verdict == NF_DROP) {
         kfree_skb(*pskb);                /*删除数据包，需要释放skb*/
          ret = -EPERM;
    } else if (verdict == NF_QUEUE) {
          NFDEBUG("nf_hook: Verdict = QUEUE.\n");
              if (!nf_queue(*pskb, elem, pf, hook, indev, outdev, okfn))
               goto next_hook;
     }
unlock:
        rcu_read_unlock();
        return ret;
}

1.4   net/core/netfilter.c   nf_iterate()函数

static unsigned int nf_iterate(struct list_head *head,

                            struct sk_buff **skb,

                            int hook,

                            const struct net_device *indev,

                            const struct net_device *outdev,

                            struct list_head **i,

                            int (*okfn)(struct sk_buff *),

                            int hook_thresh)

{

       /*

        * The caller must not block between calls to this

        * function because of risk of continuing from deleted element.

        */

/* 依次调用指定hook点下的所有nf_hook_ops->(*hook)函数，这些nf_hook_ops里有filter表注册的，有mangle表注册的，等等。

list_for_each_continue_rcu函数是一个for循环的宏，当调用结点中的hook函数后，根据返回值进行相应处理。如果hook函数的返回值是NF_QUEUE,NF_STOLEN,NF_DROP时，函数返回该值；如果返回值是NF_REPEAT时，则跳到前一个结点继续处理；如果是其他值，由下一个结点继续处理。如果整条链表处理完毕，返回值不是上面四个值，则返回NF_ACCEPT。*/

       list_for_each_continue_rcu(*i, head) {

              struct nf_hook_ops *elem = (struct nf_hook_ops *)*i;

              if (hook_thresh > elem->priority)

                     continue;

              switch (elem->hook(hook, skb, indev, outdev, okfn)) {

              case NF_QUEUE:

                     return NF_QUEUE;

              case NF_STOLEN:

                     return NF_STOLEN;

              case NF_DROP:

                     return NF_DROP;

              case NF_REPEAT:

                     *i = (*i)->prev;

                     break;

              }

       }

       return NF_ACCEPT;

}