- 论坛徽章:
- 0
|
>>1. 在netfilter中有很多地方是返回负的值比如return -NF_ACCEPT,这是什么意思? 为什么要这样做?
为了在ipt_do_table中区分是standard target还是到自定义链
if (!t->u.kernel.target->target) {
int v;
v = ((struct ipt_standard_target *)t)->verdict;
if (v < 0) {//drop(-1),accept(-2),stolen(-3),queue(-4),repeat(-5)
/* Pop from stack? */
if (v != IPT_RETURN) {
verdict = (unsigned)(-v) - 1;//转换成正数
break;
}
//return,返回
e = back;
back = get_entry(table_base,
back->comefrom);
continue;
}
//jump到自定义链或fallthrough
if (table_base + v
!= (void *)e + e->next_offset) {
//到自定义链
/* Save old back ptr in next entry */
struct ipt_entry *next
= (void *)e + e->next_offset;
next->comefrom
= (void *)back - table_base;
/* set back pointer to next entry */
back = next;
}
e = get_entry(table_base, v);
} else {//target
>>2. netfilter删除一个连接跟踪表项除了death_by_timeout外是否还有其他的删除方法?
ip_conntrack_proto_*.c,协议自己检测到连接无效时,可删除
if (!(conntrack->status & IPS_SEEN_REPLY) && tcph->rst) {
//reset
if (del_timer(&conntrack->timeout))
//删除,death_by_timeout
conntrack->timeout.function((unsigned long)conntrack); |
|
免费注册
发表于 2008-10-28 21:45
发表于 2008-10-28 21:50
