netfilter filter表(三)

多多是小坏熊

于 2023-04-27 21:34:17 发布

阅读量399

点赞数

文章标签：内核 linux netfilter 网络

本文链接：https://blog.csdn.net/weixin_46381158/article/details/130394935

版权

文章详细介绍了如何修改Linux内核中的netfilter表，特别是ipt_entry结构体中的信息打印和处理。通过示例代码展示了如何访问ipt_entry的目标偏移量、协议、源/目的IP等信息，并解释了ipt_standard_target的verdict字段。此外，还演示了一个实验，动态改变ipt_entry的处理方法，从NF_DROP更改为NF_ACCEPT，并验证了改动生效。

摘要由CSDN通过智能技术生成

修改《netfilter filter表(二)》的hello_open函数，将ipt_entry的信息打印处理，代码如下：

char* get_verdict(int verdict)
{
	verdict = -(verdict + 1);

	char* p = "";
	switch (verdict)
	{
		case NF_DROP:
			p = "NF_DROP";
			break;
		case NF_ACCEPT:
			p = "NF_ACCEPT";
			break;
		case NF_STOLEN:
			p = "NF_STOLEN";
			break;
		case NF_QUEUE:
			p = "NF_QUEUE";
			break;
		case NF_REPEAT:
			p = "NF_REPEAT";
			break;
		case NF_STOP:
			p = "NF_STOP";
			break;
		default:
		break;

	}

	return p;
}

void print_entry_info(struct ipt_entry* ipt_entry)
{
	printk("  ipt_entry.target_offset = %d\n", ipt_entry->target_offset);
	printk("  ipt_entry.next_offset = %d\n", ipt_entry->next_offset);
	printk("  ipt_entry.comefrom = %d\n", ipt_entry->comefrom);
	printk("  ipt_entry.ip.src = %X\n", ipt_entry->ip.src);
	printk("  ipt_entry.ip.smsk = %X\n", ipt_entry->ip.smsk);
	printk("  ipt_entry.ip.dst = %X\n", ipt_entry->ip.dst);
	printk("  ipt_entry.ip.dmsk = %X\n", ipt_entry->ip.dmsk);
	printk("  ipt_entry.ip.iniface = %s\n", ipt_entry->ip.iniface);
	printk("  ipt_entry.ip.outiface = %s\n", ipt_entry->ip.outiface);
	printk("  ipt_entry.ip.proto = %d\n", ipt_entry->ip.proto);
	printk("  ipt_entry.ip.flags = %d\n", ipt_entry->ip.flags);
	printk("  ipt_entry.ip.invflags = %d\n", ipt_entry->ip.invflags);

	struct xt_standard_target *t = (void*)ipt_entry +  ipt_entry->target_offset;
	printk("    xt_standard_target.verdict = %s\n", get_verdict(t->verdict));

	struct xt_target *target = t->target.u.kernel.target;
	if (NULL != target)
	{
		printk("      xt_target.name = %s\n", target->name);
		printk("      xt_target.revision = %d\n", target->revision);
		printk("      xt_target.table = %s\n", target->table);
		printk("      xt_target.targetsize = %d\n", target->targetsize);
		printk("      xt_target.usersize = %d\n", target->usersize);
		printk("      xt_target.hooks = %d\n", target->hooks);
		printk("      xt_target.proto = %d\n", target->proto);
		printk("      xt_target.family = %d\n", target->family);
	}
	else
	{
		printk("no target\n");
	}

	// 有match
	if (offsetof(struct ipt_entry, elems) != ipt_entry->target_offset)
	{
		printk("have match\n");
	}
	else
	{
		printk("no match\n");
	}
}

static int hello_open(struct inode* inode, struct file*filep)
{
	... ...

	ipt_entry = table_base + filter_info->hook_entry[NF_INET_LOCAL_IN];
	ipt_entry_end = table_base + filter_info->underflow[NF_INET_LOCAL_IN];

	while (1)
	{
		if (ipt_entry >= ipt_entry_end)
		{
			
			break;
		}

		print_entry_info(ipt_entry);

		ipt_entry = (void *)ipt_entry + ipt_entry->next_offset;
	}
	

	return 0;
}

其中iptable配置如下：

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 1.2.3.5 0.0.0.0/0
ACCEPT all -- !1.2.3.4 0.0.0.0/0

ipt_entry部分日志如下：

[ 538.451864] ipt_entry.target_offset = 112

[ 538.451865] ipt_entry.next_offset = 152

[ 538.451866] ipt_entry.comefrom = 2

[ 538.451866] ipt_entry.ip.src = 5030201

[ 538.451867] ipt_entry.ip.smsk = FFFFFFFF

[ 538.451868] ipt_entry.ip.dst = 0

[ 538.451868] ipt_entry.ip.dmsk = 0

[ 538.451869] ipt_entry.ip.iniface =

[ 538.451869] ipt_entry.ip.outiface =

[ 538.451870] ipt_entry.ip.proto = 6

[ 538.451871] ipt_entry.ip.flags = 0

[ 538.451871] ipt_entry.ip.invflags = 0

[ 538.451872] xt_standard_target.verdict = NF_DROP

[ 538.451873] xt_target.name =

[ 538.451873] xt_target.revision = 0

[ 538.451874] xt_target.table = (null)

[ 538.451874] xt_target.targetsize = 4

[ 538.451875] xt_target.usersize = 0

[ 538.451875] xt_target.hooks = 0

[ 538.451876] xt_target.proto = 0

[ 538.451877] xt_target.family = 2

[ 538.451877] no match

[ 538.451878] ipt_entry.target_offset = 112

[ 538.451878] ipt_entry.next_offset = 152

[ 538.451879] ipt_entry.comefrom = 2

[ 538.451879] ipt_entry.ip.src = 4030201

[ 538.451880] ipt_entry.ip.smsk = FFFFFFFF

[ 538.451880] ipt_entry.ip.dst = 0

[ 538.451881] ipt_entry.ip.dmsk = 0

[ 538.451882] ipt_entry.ip.iniface =

[ 538.451882] ipt_entry.ip.outiface =

[ 538.451883] ipt_entry.ip.proto = 0

[ 538.451883] ipt_entry.ip.flags = 0

[ 538.451884] ipt_entry.ip.invflags = 8

[ 538.451884] xt_standard_target.verdict = NF_ACCEPT

[ 538.451885] xt_target.name =

[ 538.451886] xt_target.revision = 0

[ 538.451886] xt_target.table = (null)

[ 538.451887] xt_target.targetsize = 4

[ 538.451887] xt_target.usersize = 0

[ 538.451888] xt_target.hooks = 0

[ 538.451888] xt_target.proto = 0

[ 538.451889] xt_target.family = 2

[ 538.451889] no match

根据上面信息，整理的关系图如下：

一个ipt_standard代表iptable表INPUT链中的一条配置,ipt_ip配置了源地址，目的地址等信息，其定义如下：

struct ipt_ip {

源地址与目的地址

struct in_addr src, dst;

源地址与目的地址的掩码

struct in_addr smsk, dmsk;

char iniface[IFNAMSIZ], outiface[IFNAMSIZ];

unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];

协议 0 = ANY

IPPROTO_TCP 6

__u16 proto;

/* Flags word */

__u8 flags;

取反标记

#define IPT_INV_SRCIP 0x08 对源IP区反，对于第二条配置，就是源地址不是1.2.3.4的包

__u8 invflags;

};

ipt_ip表示的是标准匹配，如果有扩展匹配信息(结构体是：xt_match) ，保存在ipt_entry和xt_standard_target之间。本例中的两条配置，都不带扩展匹配，所以ipt_entry后面紧挨着xt_standard_target。是否包含扩展匹配信息，都可以通过ipt_entry的地址+target_offset，获取到xt_standard_target。

ipt_entry的地址+next_offset可以获取到下一个ipt_entry的地址。

ipt_standaard_target的verdict表示处理方法。对于标准的处理方法(如：DROP，ACCEPT)，将其取反后再减1(即：-(__verdict) - 1),赋给ipt_standaard_target的verdict。给verdict赋值，可以参考下面的宏。

#define IPT_STANDARD_INIT(__verdict) \

{ \

.entry = IPT_ENTRY_INIT(sizeof(struct ipt_standard)), \

.target = XT_TARGET_INIT(XT_STANDARD_TARGET, \

sizeof(struct xt_standard_target)), \

.target.verdict = -(__verdict) - 1, \

}

最后做一个有趣的实验，将源地址为1.2.3.5的处理方法改成 NF_ACCEPT，代码如下：

void print_entry_info(struct ipt_entry* ipt_entry)
{
	... ...

	struct xt_standard_target *t = (void*)ipt_entry +  ipt_entry->target_offset;
	printk("    xt_standard_target.verdict = %s\n", get_verdict(t->verdict));

    // 新加的代码
	if (0x5030201 == ipt_entry->ip.src.s_addr)
	{
		t->verdict = -(NF_ACCEPT) - 1;
	}

	struct xt_target *target = t->target.u.kernel.target;
	if (NULL != target)
	{
		printk("      xt_target.name = %s\n", target->name);
		printk("      xt_target.revision = %d\n", target->revision);
		printk("      xt_target.table = %s\n", target->table);
		printk("      xt_target.targetsize = %d\n", target->targetsize);
		printk("      xt_target.usersize = %d\n", target->usersize);
		printk("      xt_target.hooks = %d\n", target->hooks);
		printk("      xt_target.proto = %d\n", target->proto);
		printk("      xt_target.family = %d\n", target->family);
	}
	... ...
}

更新驱动，调用用户空间测试程序，最后用iptables查下INPUT链的配置，查询结果如下：