论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2015-05-05 23:32 |只看该作者 |倒序浏览

HOOK函数的调用过程应该是：
#define NF_HOOK--->#define NF_HOOK_THRESH--->nf_hook_thresh--->nf_hook_slow--->nf_iterate--->elem->hook ---->ipt_hook---->ipt_do_table

我一直没搞清楚的是：nf_iterate中的elem->hook怎么跳转到函数ipt_hook ? 求大神！谢谢！

下附nf_iterate()代码：

unsigned int nf_iterate(struct list_head *head,
struct sk_buff **skb,
int hook,
const struct net_device *indev,
const struct net_device *outdev,
struct list_head **i,
int (*okfn)(struct sk_buff *),
int hook_thresh)
{
unsigned int verdict;

/*
   * The caller must not block between calls to this
   * function because of risk of continuing from deleted element.
   */
list_for_each_continue_rcu(*i, head) {
struct nf_hook_ops *elem = (struct nf_hook_ops *)*i;

if (hook_thresh > elem->priority)
continue;

/* Optimization: we don't need to hold module
               reference here, since function can't sleep. --RR */
verdict = elem->hook(hook, skb, indev, outdev, okfn);
if (verdict != NF_ACCEPT) {
#ifdef CONFIG_NETFILTER_DEBUG
if (unlikely((verdict & NF_VERDICT_MASK)
> NF_MAX_VERDICT)) {
NFDEBUG("Evil return from %p(%u).\n",
         elem->hook, hook);
continue;
}
#endif
if (verdict != NF_REPEAT)
return verdict;
*i = (*i)->prev;
}
}
return NF_ACCEPT;
}

文库|博客

philarlala

稍有积蓄

论坛徽章:: 1

2楼 [报告]

发表于 2015-05-06 22:15 |只看该作者

可以看一下net/ipv4/netfilter/iptable_filter.c中的init函数

static int __init iptable_filter_init(void)
{
      int ret;

      ret = register_pernet_subsys(&iptable_filter_net_ops);
      if (ret < 0)
            return ret;

      /* Register hooks */
      filter_ops = xt_hook_link(&packet_filter, iptable_filter_hook);
/*filter_ops应该就是elem，iptables_filter_hook就是你上面说ipt_hook，elem的hook就是iptables_filter_hook,在iptables_filter_hook中会返回ipt_do_table*/

      if (IS_ERR(filter_ops)) {
            ret = PTR_ERR(filter_ops);
            unregister_pernet_subsys(&iptable_filter_net_ops);
      }

      return ret;
}

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

cvgcv

白手起家

论坛徽章:: 0

3楼 [报告]

发表于 2015-05-06 23:29 |只看该作者

多谢！我学习下看！回复 2# philarlala

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

cvgcv

白手起家

论坛徽章:: 0

4楼 [报告]

发表于 2015-05-07 00:19 |只看该作者

请问下，我的iptable_filter的init函数怎么和你的不一样？我用的内核是2.6.20的！

static int __init iptable_filter_init(void)
{
int ret;

if (forward < 0 || forward > NF_MAX_VERDICT) {
printk("iptables forward must be 0 or 1\n");
return -EINVAL;
}

/* Entry 1 is the FORWARD hook */
initial_table.entries[1].target.verdict = -forward - 1;

/* Register table */
ret = ipt_register_table(&packet_filter, &initial_table.repl);
if (ret < 0)
return ret;

/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0)
goto cleanup_table;

return ret;

cleanup_table:
ipt_unregister_table(&packet_filter);
return ret;
}
回复 2# philarlala