NF_HOOK_THRESH函数的参数thresh控制从何等优先级的hook函数开始执行,所以低于thresh优先级的函数将不会被遍历执行。hook函数的注册由nf_register_hook函数完成。priority的值越小优先级越高,所有注册的hook函数优先级由高到低排序。
int nf_register_hook(struct nf_hook_ops *reg)
{
list_for_each_entry(elem, &nf_hooks[reg->pf][reg->hooknum], list) {
if (reg->priority < elem->priority)
break;
}
list_add_rcu(®->list, elem->list.prev);
}
THRESH初始
以下依据网桥bridge的NF_BR_PRE_ROUTING点为例,数据包首先进入网桥处理函数br_handle_frame,如果目的MAC不是链路本地地址(01:80:c2:00:00:0X),调用NF_HOOK进行NF_BR_PRE_ROUTING hook点的规则处理,NF_HOOK函数调用NF_HOOK_THRESH,此时传递的最后一个参数thresh为最小的有符号整数INT_MIN(0x80000000)。
static inline int NF_HOOK(uint8_t pf, unsigned int hook, ...)
{
return NF_HOOK_THRESH(pf, hook, sk, skb, in, out, okfn, INT_MIN);
}
rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
{
NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, NULL, skb,
skb->dev, NULL, br_handle_frame_finish);
}
最终,thresh参数赋值给了nf_hook_state结构的变量state->thresh,查看hook点规则遍历函数nf_iterate可知,所有优先级大于阈值state->thresh的规则都将得到执行。由上可知,thresh的值为INT_MIN,已经是最小值了,所有注册的规则优先级都大于此值,都会执行。
unsigned int nf_iterate(struct list_head *head, struct sk_buff *skb, struct nf_hook_state *state, struct nf_hook_ops **elemp)
{
list_for_each_entry_continue_rcu((*elemp), head, list) {
if (state->thresh > (*elemp)->priority)
continue;
}
网桥netfilter HOOK点的优先级定义,优先级的类型为有符号整数:
enum nf_br_hook_priorities {
NF_BR_PRI_FIRST = INT_MIN,
NF_BR_PRI_NAT_DST_BRIDGED = -300,
NF_BR_PRI_FILTER_BRIDGED = -200,
NF_BR_PRI_BRNF = 0,
NF_BR_PRI_NAT_DST_OTHER = 100,
NF_BR_PRI_FILTER_OTHER = 200,
NF_BR_PRI_NAT_SRC = 300,
NF_BR_PRI_LAST = INT_MAX,
};
THRESH值改变
阈值thresh在什么地方改变呢?这里其实会涉及到规则的嵌套查找。继续看NF_BR_PRE_ROUTING hook点的处理,当执行到NF_BR_PRI_BRNF优先级的规则时,内核在此注册了一个br_nf_pre_routing处理函数。此函数会调用IPv4的NF_INET_PRE_ROUTING hook点规则,调用完后最后由函数br_nf_pre_routing_finish处理。
static struct nf_hook_ops br_nf_ops[] __read_mostly = {
{
.hook = br_nf_pre_routing,
.owner = THIS_MODULE,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_PRE_ROUTING,
.priority = NF_BR_PRI_BRNF,
},
}
调用上层IPv4的hook点处理后,返回NF_STOLEN,网桥NF_BR_PRE_ROUTING hook点的遍历将在此结束,难道意味着优先级在NF_BR_PRI_BRNF之后的规则都不会被执行。其实不然,在函数br_nf_pre_routing_finish中,内核会直接调用NF_HOOK_THRESH函数(非之前的NF_HOOK封装),此时thresh参数值传入1,根据上文介绍的函数nf_iterate可知,优先级大于1的规则将得到继续运行,即NF_BR_PRI_BRNF(=0)之后优先级的规则会执行。与br_handle_frame一致,遍历完成后交由br_handle_frame_finish处理。
static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops, ...)
{
NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->sk, skb,
skb->dev, NULL, br_nf_pre_routing_finish);
return NF_STOLEN;
}
static int br_nf_pre_routing_finish(struct sock *sk, struct sk_buff *skb)
{
NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, sk, skb,
skb->dev, NULL, br_handle_frame_finish, 1);
}
内核版本
linux-3.10.0