netfilter框架分析.zip_netfilter_linux netfilter_网络

<html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta charset="utf-8"> <meta name="generator" content="pdf2htmlEX"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <link rel="stylesheet" href="https://static.pudn.com/base/css/base.min.css"> <link rel="stylesheet" href="https://static.pudn.com/base/css/fancy.min.css"> <link rel="stylesheet" href="https://static.pudn.com/prod/directory_preview_static/6268174f4c65f4125977f863/raw.css"> <script src="https://static.pudn.com/base/js/compatibility.min.js"></script> <script src="https://static.pudn.com/base/js/pdf2htmlEX.min.js"></script> <script> try{ pdf2htmlEX.defaultViewer = new pdf2htmlEX.Viewer({}); }catch(e){} </script> <title></title> </head> <body> <div id="sidebar" style="display: none"> <div id="outline"> </div> </div> <div id="pf1" class="pf w0 h0" data-page-no="1"><div class="pc pc1 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://static.pudn.com/prod/directory_preview_static/6268174f4c65f4125977f863/bg1.jpg"><div class="c x0 y1 w2 h2"><div class="t m0 x1 h3 y2 ff1 fs0 fc0 sc0 ls0 ws0">1. netlter<span class="_ _0"> </span><span class="ff2 sc1">框架</span></div><div class="t m0 x1 h4 y3 ff3 fs1 fc1 sc0 ls0 ws0"><span class="ff2">是<span class="_ _1"> </span></span><span class="_ _1"> </span><span class="ff2">内核中进行数据包过滤、连接跟踪、地址转换等的主要实现</span></div><div class="t m0 x1 h4 y4 ff2 fs1 fc1 sc0 ls0 ws0">框架。当我们希望过滤特定的数据包或者需要修改数据包的内容再发送出去，</div><div class="t m0 x1 h4 y5 ff2 fs1 fc1 sc0 ls0 ws0">这些动作主要都在<span class="_ _1"> </span><span class="ff3"><span class="_ _1"> </span></span>中完成。</div><div class="t m0 x1 h4 y6 ff3 fs1 fc1 sc0 ls0 ws0"><span class="_ _1"> </span><span class="ff2">工具就是用户空间和内核的<span class="_ _1"> </span></span><span class="_ _1"> </span><span class="ff2">模块通信的手段，</span><span class="_ _1"> </span><span class="ff2">命</span></div><div class="t m0 x1 h4 y7 ff2 fs1 fc1 sc0 ls0 ws0">令提供很多选项来实现过滤数据包的各种操作，所以，我们在定义数据包过滤</div><div class="t m0 x1 h4 y8 ff2 fs1 fc1 sc0 ls0 ws0">规则时，并不需要去直接修改内核中的<span class="_ _1"> </span><span class="ff3"><span class="_ _1"> </span></span>模块，后面会讲到<span class="_ _1"> </span><span class="ff3"></span></div><div class="t m0 x1 h4 y9 ff2 fs1 fc1 sc0 ls0 ws0">命令如何作用于内核中的<span class="_ _1"> </span><span class="ff3"></span>。</div><div class="t m0 x1 h4 ya ff3 fs1 fc1 sc0 ls0 ws0"><span class="_ _1"> </span><span class="ff2">的实质就是定义一系列的<span class="_ _1"> </span></span><span class="_ _1"> </span><span class="ff2">点（挂钩），每个<span class="_ _1"> </span></span><span class="_ _1"> </span><span class="ff2">点上可以挂</span></div><div class="t m0 x1 h4 yb ff2 fs1 fc1 sc0 ls0 ws0">载多个<span class="_ _1"> </span><span class="ff3"><span class="_ _1"> </span></span>函数，<span class="ff3"><span class="_ _1"> </span></span>函数中就实现了我们要对数据包的内容做怎样的修改、</div><div class="t m0 x1 h4 yc ff2 fs1 fc1 sc0 ls0 ws0">以及要将数据包放行还是过滤掉。数据包进入<span class="_ _1"> </span><span class="ff3"><span class="_ _1"> </span></span>框架后，实际上就是依</div><div class="t m0 x1 h4 yd ff2 fs1 fc1 sc0 ls0 ws0">次经过所有<span class="_ _1"> </span><span class="ff3"><span class="_ _1"> </span></span>函数的处理，数据包的命运就掌握在这些<span class="_ _1"> </span><span class="ff3"><span class="_ _1"> </span></span>函数的手里。</div><div class="t m0 x1 h4 ye ff2 fs1 fc1 sc0 ls0 ws0">本文基于内核版本<span class="_ _1"> </span><span class="ff3"></span>。</div><div class="t m0 x1 h4 yf ff2 fs1 fc1 sc0 ls0 ws0">所有的<span class="_ _1"> </span><span class="ff3"><span class="_ _1"> </span></span>点都放在一个全局的二维数组，每个<span class="_ _1"> </span><span class="ff3"><span class="_ _1"> </span></span>点上的<span class="_ _1"> </span><span class="ff3"><span class="_ _1"> </span></span>函数按照</div><div class="t m0 x1 h4 y10 ff2 fs1 fc1 sc0 ls0 ws0">优先级顺序注册到一个链表中，注册的接口为<span class="_ _1"> </span><span class="ff3"></span>。这个二维</div><div class="t m0 x1 h4 y11 ff2 fs1 fc1 sc0 ls0 ws0">数组的定义如下：</div><div class="t m0 x1 h5 y12 ff3 fs1 fc1 sc0 ls0 ws0"> <span class="ff1">nf_hooks</span>!"#$%&%'(#$%&%)</div><div class="t m0 x1 h6 y13 ff3 fs1 fc1 sc0 ls0 ws0">!"(*+,%%-.)/01</div><div class="t m0 x1 h4 y14 ff2 fs1 fc1 sc0 ls0 ws0">其中<span class="_ _1"> </span><span class="ff3">"#$%&%'(#$%&%</span>为<span class="_ _1"> </span><span class="ff3"><span class="_ _1"> </span></span>支持的协议类型：</div><div class="t m0 x1 h6 y15 ff3 fs1 fc1 sc0 ls0 ws0">/2</div><div class="t m0 x1 h6 y16 ff3 fs1 fc1 sc0 ls0 ws0"> "#$%&%'.#345 67</div><div class="t m0 x1 h6 y17 ff3 fs1 fc1 sc0 ls0 ws0"> "#$%&%8#9: 5 7</div><div class="t m0 x1 h6 y18 ff3 fs1 fc1 sc0 ls0 ws0"> "#$%&%*$# 5 7</div><div class="t m0 x1 h6 y19 ff3 fs1 fc1 sc0 ls0 ws0"> "#$%&%;$8<=35 >7</div><div class="t m0 x1 h6 y1a ff3 fs1 fc1 sc0 ls0 ws0"> "#$%&%8#9 567</div><div class="t m0 x1 h6 y1b ff3 fs1 fc1 sc0 ls0 ws0"> "#$%&%<343&57</div><div class="t m0 x1 h6 y1c ff3 fs1 fc1 sc0 ls0 ws0"> "#$%&%'(#$%&%7</div><div class="t m0 x1 h6 y1d ff3 fs1 fc1 sc0 ls0 ws0">?1</div></div></div><div class="pi" data-data='{"ctm":[1.611850,0.000000,0.000000,1.611850,0.000000,0.000000]}'></div></div> </body> </html>

<div id="pf2" class="pf w0 h0" data-page-no="2"><div class="pc pc2 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://static.pudn.com/prod/directory_preview_static/6268174f4c65f4125977f863/bg2.jpg"><div class="c x0 y1 w2 h2"><div class="t m0 x1 h4 y1e ff2 fs1 fc1 sc0 ls0 ws0">我们看到枚举值并不连续，这是为了和协议族定义的值保持一致，因为注册</div><div class="t m0 x1 h4 y1f ff3 fs1 fc1 sc0 ls0 ws0"><span class="_ _1"> </span><span class="ff2">函数的时候是根据协议族来注册的，如<span class="_ _1"> </span></span>#"83&5<span class="ff2">，则对应的</span></div><div class="t m0 x1 h4 y20 ff3 fs1 fc1 sc0 ls0 ws0">"#$%&%8#9:5<span class="ff2">。</span></div><div class="t m0 x1 h4 y21 ff3 fs1 fc1 sc0 ls0 ws0">"(*+,%%-.<span class="_ _1"> </span><span class="ff2">是每种协议最多可挂的<span class="_ _1"> </span></span><span class="_ _1"> </span><span class="ff2">点的个数，它的值是<span class="_ _1"> </span></span>@<span class="ff2">。如</span></div><div class="t m0 x1 h4 y22 ff3 fs1 fc1 sc0 ls0 ws0">8#A:<span class="_ _1"> </span><span class="ff2">挂了<span class="_ _1"> </span></span>B<span class="_ _1"> </span><span class="ff2">个，分别为：</span></div><div class="t m0 x1 h6 y23 ff3 fs1 fc1 sc0 ls0 ws0">/2</div><div class="t m0 x1 h6 y24 ff3 fs1 fc1 sc0 ls0 ws0"> "83&#$3$%'&8=7</div><div class="t m0 x1 h6 y25 ff3 fs1 fc1 sc0 ls0 ws0"> "83&%4*87</div><div class="t m0 x1 h6 y26 ff3 fs1 fc1 sc0 ls0 ws0"> "83&"%$C*$<7</div><div class="t m0 x1 h6 y27 ff3 fs1 fc1 sc0 ls0 ws0"> "83&%4*%'&7</div><div class="t m0 x1 h6 y28 ff3 fs1 fc1 sc0 ls0 ws0"> "83&#%.&$%'&8=7</div><div class="t m0 x1 h6 y29 ff3 fs1 fc1 sc0 ls0 ws0"> "83&'(,%%-.</div><div class="t m0 x1 h6 y2a ff3 fs1 fc1 sc0 ls0 ws0">?1</div><div class="t m0 x1 h4 y2b ff2 fs1 fc1 sc0 ls0 ws0">也就是说，对于<span class="_ _1"> </span><span class="ff3">8#A:<span class="_ _1"> </span></span>协议来讲，一共有<span class="_ _1"> </span><span class="ff3">B<span class="_ _1"> </span></span>个<span class="_ _1"> </span><span class="ff3"><span class="_ _1"> </span></span>点，这<span class="_ _2"> </span><span class="ff3">B<span class="_ _1"> </span></span>个<span class="_ _2"> </span><span class="ff3"><span class="_ _1"> </span></span>点上注册</div><div class="t m0 x1 h4 y2c ff2 fs1 fc1 sc0 ls0 ws0">的<span class="_ _2"> </span><span class="ff3"><span class="_ _3"> </span></span>函数放在下列链表中：</div><div class="t m0 x1 h7 y2d ff4 fs2 fc0 sc0 ls0 ws0">Hook<span class="_"> </span><span class="ff2">点<span class="_ _4"> </span>该<span class="_ _2"> </span></span>hook<span class="_ _2"> </span><span class="ff2">点上注册的<span class="_ _5"> </span></span>hook<span class="_"> </span><span class="ff2">函数链表的表头</span></div><div class="t m0 x1 h8 y2e ff4 fs2 fc0 sc0 ls0 ws0">NF_INET_PRE_ROUTING<span class="_ _6"> </span>nf_hooks[NFPROTO_IPV4][ NF_INET_PRE_ROUTING]</div><div class="t m0 x1 h8 y2f ff4 fs2 fc0 sc0 ls0 ws0">NF_INET_LOCAL_IN<span class="_ _7"> </span>nf_hooks[NFPROTO_IPV4][ NF_INET_LOCAL_IN]</div><div class="t m0 x1 h8 y30 ff4 fs2 fc0 sc0 ls0 ws0">NF_INET_FORWARD<span class="_ _8"> </span>nf_hooks[NFPROTO_IPV4][ NF_INET_FORWARD]</div><div class="t m0 x1 h8 y31 ff4 fs2 fc0 sc0 ls0 ws0">NF_INET_LOCAL_OUT<span class="_ _9"> </span>nf_hooks[NFPROTO_IPV4][ NF_INET_LOCAL_OUT]</div><div class="t m0 x1 h8 y32 ff4 fs2 fc0 sc0 ls0 ws0">NF_INET_POST_ROUTING<span class="_ _a"> </span>nf_hooks[NFPROTO_IPV4][ NF_INET_POST_ROUTING]</div><div class="t m0 x1 h4 y33 ff2 fs1 fc1 sc0 ls0 ws0">对于发往本地的数据包，会依次经过<span class="_ _2"> </span><span class="ff3">"83&#$3$%'&8=<span class="_ _3"> </span></span>和</div><div class="t m0 x1 h4 y34 ff3 fs1 fc1 sc0 ls0 ws0">"83&%4*8<span class="_ _2"> </span><span class="ff2">两个<span class="_ _1"> </span></span><span class="_ _1"> </span><span class="ff2">点的处理。</span></div><div class="t m0 x1 h4 y35 ff2 fs1 fc1 sc0 ls0 ws0">对于本地向外发出去的数据包，会依次经过<span class="_ _2"> </span><span class="ff3">"83&%4*%'&<span class="_ _3"> </span></span>和</div><div class="t m0 x1 h4 y36 ff3 fs1 fc1 sc0 ls0 ws0">"83&#%.&$%'&8=<span class="_ _1"> </span><span class="ff2">两个<span class="_ _1"> </span></span><span class="_ _1"> </span><span class="ff2">点的处理。</span></div><div class="t m0 x1 h4 y37 ff2 fs1 fc1 sc0 ls0 ws0">对于经过本机转发的数据包，会依次经过</div><div class="t m0 x1 h4 y38 ff3 fs1 fc1 sc0 ls0 ws0">"83&#$3$%'&8=<span class="ff2">、</span>"83&"%$C*$<<span class="_ _1"> </span><span class="ff2">和</span></div><div class="t m0 x1 h4 y39 ff3 fs1 fc1 sc0 ls0 ws0">"83&#%.&$%'&8=<span class="_ _1"> </span><span class="ff2">三个<span class="_ _1"> </span></span><span class="_ _1"> </span><span class="ff2">点的处理。</span></div></div></div><div class="pi" data-data='{"ctm":[1.611850,0.000000,0.000000,1.611850,0.000000,0.000000]}'></div></div>