https://blog.csdn.net/ruisenabc/article/details/87920528
Overview Netfilter
Netfilter / IPTables is the next generation after Linux2.4.x Linux firewall mechanism, is a subsystem of the linux kernel. Netfilter modular design, with good scalability. Netfilter important tool module architecture IPTables iptables connection from the user mode to the kernel mode, the IP protocol stack is Netfilter seamless fit, and allow the user to filter the data packets, address translation, processing and other operations.
The main source code file
Linux kernel version: 2.4.x more
Netfilter master file: net / core / netfilter.c
Netfilter main header file: include / linux / netfilter.h
IPv4 Related:
c file: net / ipv4 / netfilter / * c.
Header file: include / linux / netfilter_ipv4.h
include/linux/netfilter_ipv4/*.h
IPv4 protocol stack body portion c files, in particular with the datagram section relating to the process of:
ip_input.c,ip_forward.c,ip_output.c,ip_fragment.c等
DETAILED function module
data packet filtering module
connection tracking module (Conntrack)
NAT module (NAT)
Datagram modification module (the mangle)
Other advanced features modules
Netfilter achieve
Netfilter mainly through the table, chain realize the rules, so to speak, Netfilter is a table of container, the table is a chain container, chain is the rule container, eventually realize the datagram processing rules.
Data transmission in the protocol stack in the process, from top to bottom is the "head plus" process, each layer of data is reaching the layer will add header; at the same time, the data receiving party is a "peel after the first "process, from the card to close the bag, the head of each strip sequentially transfer process to the upper layer protocol stack, there is the final user of the data bare.
For each packet received, both from point "A" in, after routing decision, if it is sent on to the machine through the point "B", and then to continue to pass the upper layer protocol stack; otherwise, if the data packet destination machine is not present, then through the point "C", and then along the point "E" the packet is forwarded.
For each data packet transmitted, there is a first routing decisions, in order to determine the interface from which the packet is out, and then through point "D", but also along the last point "E" the packet is sent.
Stack the five key points A, B, C, D and E is where we flex its muscles in the Netfilter.
Netfilter is a subsystem Linux 2.4.x introduced as a generic, abstract framework that provides a set of management mechanism hook function, such as packet filtering, network address translation (NAT) and a connection-based protocol type track as possible. Netfilter below in the position shown in the kernel:
The picture is very intuitive relationship between the reaction based on Netfilter ip_tables module iptables kernel space and user space, and its communication mode, and in which the role Netfilter played.
Netfilter in a five point rename this netfilter_ipv4.h of a name, as shown below:
In each of the keys, there are many priority has been registered in advance in accordance with the callback function (referred to as "hook function") impacted at these critical points, forming a chain. For each incoming packet in turn by those callbacks "molested" and then some, as the case is to be released, discarded or how drop. But in any case, the final callback functions must be reported to the Netfilter about life and death situation packets, each packet because after all there is Netfilter stack seconded to the brothers come from people Happy protocol, then how do a drop gotta " live to see people die to see the corpse "it. Each hook function must eventually return the following to one of several values on Netfilter:
1. NF_ACCEPT continue normal transmission of data packets. The return value tells Netfilter: So far, the packet is accepted and the data packets should be submitted to the next phase of the network protocol stack.
2. NF_DROP discard the packet, no transmission.
3. NF_STOLEN module takes over the datagram, tells Netfilter "forget" the datagram. The callback function will start from processing of the data packets, and Netfilter should give up the packets do any processing. However, this does not mean that the resource data packet has been released. The packet data structure and sk_buff it alone is still valid, but the callback function gets ownership of the data packets from Netfilter.
4. NF_QUEUE the datagram queuing (commonly used to process the data reported to the user space for processing)
5. NF_REPEAT calls the callback function again, this value should be used with caution in order to avoid an endless loop.
To make us look more professional, we started doing conventions: behind the five key points mentioned above, we call them hook point, the callback function for each hook point those registered are referred to as hook function.
Netfilter Linux kernel version 2.6 currently supports IPv4, IPv6 and DECnet protocol stack, etc., where we focus on the IPv4 protocol. On protocol type, point hook, hook function, priority, by everyone to be below this figure show details:
For each type of protocol, the data packets are sequentially transmitted in the direction of the hook point, and each hook point Netfilter in accordance with the priorities were a lot of hook functions. These hook function is used to process packets.
Netfilter using NF_HOOK (include / linux / netfilter.h) macros inside Netfilter cut into stack frame. Compared to version 2.4, version 2.6 kernel on the definition of this macro is even more flexible, defined as follows:
#define NF_HOOK (PF, Hook, SKB, Indev, outdev, okfn) \
NF_HOOK_THRESH (PF, Hook, SKB, Indev, outdev, okfn, INT_MIN) 2
explanations of the various parameters of the macro NF_HOOK:
. 1) PF: protocol family name, the Netfilter architecture can also be used outside the IP layer, there may also be variable so as PF_INET6, PF_DECnet other names.
2) hook: HOOK point name, for the IP layer, is to take the above five values;
. 3) SKB: a network device cache;
. 4) Indev: incoming packet devices to struct net_device structure represented;
. 5) outdev : packet out device to a structure represented struct net_device;
(will be seen later, the above five parameters are passed to the processing function nf_register_hook registered.)
6) okfn: a function pointer, if all of the functions of all registered HOOK point after call, turn down this process.
While a macro is NF_HOOK_THRESH:
#define NF_HOOK_THRESH (PF, Hook, SKB, Indev, outdev, okfn, Thresh) \
({int__ret; \
IF ((__ret = nf_hook_thresh (PF, Hook, & (SKB), Indev, outdev , okfn, thresh,. 1)) ==. 1) \
__ret = (okfn) (SKB); \
__ret;})
we found an increase of only a macro NF_HOOK_THRESH thresh parameter this parameter is used to specify the macro to traverse through the hook the priority of the function, at the same time, which in turn calls the internal macro nf_hook_thresh function:
static inline int nf_hook_thresh (int PF, unsignedInt Hook,
struct sk_buff ** pskb,
struct net_device * Indev,
struct the net_device * outdev,
int (* okfn) (struct the sk_buff *), int Thresh,
int cond)
{
IF (cond)!
return. 1;
#ifndef CONFIG_NETFILTER_DEBUG
IF (list_empty (& nf_hooks [PF] [Hook]))
return. 1;
#endif
return nf_hook_slow (PF, Hook, pskb, Indev, outdev, okfn, Thresh);
}
this function has only one parameter cond increased, this parameter is 0 abandon the traverse, and the function is not executed okfn; 1 is performed nf_hook_slow order to complete traversal okfn hook function (priority performed sequentially from small to large).
Defines a two-dimensional array of structures in the net / netfilter / core.h file for storing different protocol stacks callback handler hook point.
struct list_head nf_hooks [NPROTO] [NF_MAX_HOOKS ];
wherein NPROTO 32 rows, i.e., the maximum currently supported by the kernel protocol stack; NF_MAX_HOOKS number of columns is the number of the mount point, the current in the kernel is 8 2.6. The final structure as shown in FIG nf_hooks array.
In the include / linux / socket.h the IP protocol AF_INET (PF_INET) Serial No. 2, we can get the function hook mount point TCP / IP protocol suite are:
the PRE_ROUTING: nf_hooks [2] [0]
the LOCAL_IN: nf_hooks [2] [. 1]
the FORWARD: nf_hooks [2] [2]
the LOCAL_OUT: nf_hooks [2] [. 3]
POST_ROUTING: nf_hooks [2] [. 4]
Simply put, data reported through various HOOK process is as follows:
After entering the data packet from the system, the IP check, first through a first processing NF_IP_PRE_ROUTING HOOK function; then proceeds to route the code, which determines the datagram is to be forwarded or sent to the machine; If the data message is sent the present machine, the data is subjected to after HOOK function NF_IP_LOCAL_IN process then passed to the upper protocol; if the data packet should be forwarded it is NF_IP_FORWARD treatment; after forwarding data packets through after the last HOOK function NF_IP_POST_ROUTING processing, and then transmitted to online. Locally generated data HOOK function NF_IP_LOCAL_OUT after treatment, a routing processing, and then transmitted after NF_IP_POST_ROUTING treatment.
NF_IP_PRE_ROUTING (0)
Before entering the datagram in the routing code is processed, the data packet received in the IP datagram ip_rcv function () (in the net / ipv4 / ip_input.c, Line379) last, i.e. before the incoming datagram is processed through this HOOK . Before the hook in the ip_rcv HOOK (), the number of the type is performed, the length, the relevant version checking.
After HOOK through this process, the data packets into the ip_rcv_finish () (located net / ipv4 / ip_input.c, Line306), operated check routing table, and determines whether the data packet is forwarded or sent to the local machine.
In this HOOK mainly datagram header for the detection process, to catch exceptions.
Relates function (order of priority): Conntrack (-200), mangle (-150), DNAT (-100)
NF_IP_LOCAL_IN (1)
The destination is the local host IP datagram datagram local delivery function ip_local_deliver () (located in the net / ipv4 / ip_input.c, Line290) last through this HOOK.
After HOOK through this process, the data packets into the ip_local_deliver_finish () (located net / ipv4 / ip_input.c, Line219)
Thus, IPTables module can use this rule chain HOOK INPUT corresponding to the screening rule matching the data packet. Firewall generally based on the HOOK.
Relates Function: mangle (-150), filter (0), SNAT (100), Conntrack (INT_MAX-1)
NF_IP_FORWARD (2)
Non-local destination host the datagram, including revised data reported address NAT, must forward function ip_forward in the IP datagram () (located in the net / ipv4 / ip_forward.c, Line73) last through this HOOK.
After HOOK through this process, the data packets into the ip_forward_finish () (located net / ipv4 / ip_forward.c, Line44)
Further, ipmr_queue_xmit in net / ipv4 / ipmr.c in () function (Line1119) will finally pass through this HOOK. (Ipmr multicast-related, estimated to be treated when required to forward multicast data by routing)
Thus, IPTables HOOK module can use this list corresponding to the FORWARD screening rule matching the data packet.
Functions related to: mangle (-150), filter (0)
NF_IP_LOCAL_OUT (3)
Data packets sent by the local host in the IP datagram constructed / ip_queue_xmit transmission function () (located net / ipv4 / ip_output.c, Line339), and ip_build_and_send_pkt () (located net / ipv4 / ip_output.c, Line122) after the last HOOK. (Datagram processing, the former is the most commonly used, the latter for that SYN / ACK packet does not transmit valid data)
After this post-treatment HOOK, data packets enter ip_queue_xmit2 () (located net / ipv4 / ip_output.c, Line281)
Further, in ip_build_xmit_slow () (located net / ipv4 / ip_output.c, Line429) and ip_build_xmit () (located net / ipv4 / ip_output.c, Line638) for error detection; in igmp_send_report () (located net / ipv4 /igmp.c,Line195) has also been the last HOOK, processing related multicast.
Thus, IPTables module can use this rule chain HOOK OUTPUT corresponding to the screening rule matching the data packet.
Relates Function: Conntrack (-200), mangle (-150), DNAT (-100), filter (0)
NF_IP_POST_ROUTING (4)
All reported data, including the source address of the local host and a non-local host, the local host before leaving the device via the network, send function in the IP datagram ip_finish_output () (in the net / ipv4 / ip_output.c, Line184) after the last HOOK.
After this post-treatment HOOK, data packets enter ip_finish_output2 () in (on net / ipv4 / ip_output.c, Line160) Further, the function ip_mc_output () (located net / ipv4 / ip_output.c, Line195) cloned a new network buffer skb time, this has also been HOOK processing.
Relates Function: mangle (-150), SNAT (100), Conntrack (INT_MAX)
We see that in the 2.6 kernel IP stack, the protocol stack from the normal flow Netfilter cut into the frame, then sequentially, each sequentially related operation to call all the hooks HOOK point has the following several functions:
1) , net / ipv4 / ip_input.c in the ip_rcv function. This function is mainly used to function entry IP packet processing network layer, which is the entry point on Netfilter:
NF_HOOK (PF_INET, the NF_IP_PRE_ROUTING, SKB, dev, NULL, ip_rcv_finish)
in accordance with the foregoing understanding, this code is very Significance intuitively clear. That is: if the current stack received an IP packet (PF_INET), then put the packets traverse NF_IP_PRE_ROUTING filtration point Netfilter, and to check if someone has already registered at that point filter (nf_hooks [2] [0] ) a hook function for processing related packets. If so, one by one to traverse the list nf_hooks [2] [0] to find and match the corresponding matching target, based on the value returned to Netfilter frame further decide how to handle the packet (processing module or referred to by the hooks ip_rcv_finish continue processing function). Just said so-called "check." Its core is nf_hook_slow () function. The nature of the function is very simple to do, according to a priority list to find a two-way nf_hooks [] [], find the corresponding callback function to process the data packet:
struct the list_head ** I;
list_for_each_continue_rcu (I *, head) {
struct * elem nf_hook_ops = (struct nf_hook_ops *) I *;
IF (hook_thresh> elem-> priority)
Continue;
Verdict = elem-> Hook (Hook, SKB, Indev, outdev, okfn);
IF (Verdict = NF_ACCEPT!) {......}
return NF_ACCEPT;
}
The above code is the net / netfilter / core.c in nf_iterate ( ) part of the core function code, the function is called nf_hook_slow function, and then further processed according to the return value.
2), net / ipv4 / ip_forward.c ip_forward the function, which is a starting point:
NF_HOOK (PF_INET, the NF_IP_FORWARD, SKB, skb-> dev, RT-> u.dst.dev, ip_forward_finish);
passing route choice after all the needs of the machine forwards the packets will be handed over to ip_forward function for processing. Here, the function to the point cut by the filter on Netfilter NF_IP_FOWARD, in nf_hooks [2] [2] Filter points match lookup performed. Finally, the implementation is determined based on the return value of the function ip_forward_finish.
3), net / ipv4 / ip_output.c ip_output the function, which is cut into the form on Netfilter:
NF_HOOK_COND (PF_INET, NF_IP_POST_ROUTING, SKB, NULL, dev, ip_finish_output,
(of IPCB (SKB) -> the flags & IPSKB_REROUTED!)) ;
Here we see the unconditional entry point from the macro NF_HOOK into a conditional macro NF_HOOK_COND, call the macro conditions are: if the protocol stack packet skb currently being processed is not re-routing tag for packets to enter the Netfilter framework. Otherwise, go directly to a function call ip_finish_output protocol stack for processing. In addition, conditional macros and macro no other unconditionally any difference.
If required, the packet caught on Netfilter will nf_hooks [2] [4] points to be filtered match lookup.
4), or ip_local_deliver function net / ipv4 / ip_input.c in. This function handles all object address is the packet data, which cut function:
NF_HOOK (PF_INET, NF_IP_LOCAL_IN are, SKB, skb-> dev, NULL, ip_local_deliver_finish);
issued to native packets, first of all go nf_hooks [ 2] [1] detecting whether a point on the filter callback handler associated packet, and if there is matching operation is performed, and finally the return value according to the function performed ip_local_deliver_finish.
5), ip_push_pending_frames function net / ipv4 / ip_output.c in. The IP fragmentation function is re-form a complete IP packet, and then transmitted. Entry point into the framework for the Netfilter:
NF_HOOK (PF_INET, NF_IP_LOCAL_OUT, SKB, NULL, skb-> dst-> dev, dst_output);
For all sent out from the machine will first packet to the Netfilter nf_hooks [2] [3] points to the filtration filter. Normally down, whether it is a router or PC terminal, few people limit themselves to the machine sent out a message. Case because it is obvious potential risk, often because of some improper settings lead to some service failures, so to intercept packets on this point very little filter. Of course, there really does not rule out the case of special needs.
HOOK entire Linux kernel Netfilter framework mechanism can be summarized as follows:
Throughout the process the packets flowing through the core protocol stack on some key points have been predefined PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT and POST_ROUTING based protocol suite PF_INET packets to these key points to find out if there are registered hook function . If not, the process directly returns the function okfn function pointer points to continue down the protocol stack; if so, calling nf_hook_slow function, to enter the on Netfilter go further call has been registered in the filtering point hook function, and then returns under its value to determine whether to continue execution of the function by the function pointer points to okfn.
----------------
Disclaimer: This article is CSDN blogger "summer wind" of the original article, follow the CC 4.0 BY-SA copyright agreement, reproduced, please attach the original source link and this statement.
Original link: https: //blog.csdn.net/ruisenabc/article/details/87920528