THRESH控制网桥netfilter规则执行流程

netfilter防火墙 专栏收录该内容
13 篇文章 1 订阅

NF_HOOK_THRESH函数的参数thresh控制从何等优先级的hook函数开始执行,所以低于thresh优先级的函数将不会被遍历执行。hook函数的注册由nf_register_hook函数完成。priority的值越小优先级越高,所有注册的hook函数优先级由高到低排序。


int nf_register_hook(struct nf_hook_ops *reg)
{
    list_for_each_entry(elem, &nf_hooks[reg->pf][reg->hooknum], list) {
        if (reg->priority < elem->priority)
            break;
    }
    list_add_rcu(&reg->list, elem->list.prev);
}


THRESH初始

以下依据网桥bridge的NF_BR_PRE_ROUTING点为例,数据包首先进入网桥处理函数br_handle_frame,如果目的MAC不是链路本地地址(01:80:c2:00:00:0X),调用NF_HOOK进行NF_BR_PRE_ROUTING hook点的规则处理,NF_HOOK函数调用NF_HOOK_THRESH,此时传递的最后一个参数thresh为最小的有符号整数INT_MIN(0x80000000)。


static inline int NF_HOOK(uint8_t pf, unsigned int hook, ...)
{
    return NF_HOOK_THRESH(pf, hook, sk, skb, in, out, okfn, INT_MIN);
}
rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
{
        NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, NULL, skb,
            skb->dev, NULL, br_handle_frame_finish);
}


最终,thresh参数赋值给了nf_hook_state结构的变量state->thresh,查看hook点规则遍历函数nf_iterate可知,所有优先级大于阈值state->thresh的规则都将得到执行。由上可知,thresh的值为INT_MIN,已经是最小值了,所有注册的规则优先级都大于此值,都会执行。

unsigned int nf_iterate(struct list_head *head, struct sk_buff *skb, struct nf_hook_state *state, struct nf_hook_ops **elemp)
{
    list_for_each_entry_continue_rcu((*elemp), head, list) {
        if (state->thresh > (*elemp)->priority)
            continue;
}


网桥netfilter HOOK点的优先级定义,优先级的类型为有符号整数:

enum nf_br_hook_priorities {
    NF_BR_PRI_FIRST = INT_MIN,
    NF_BR_PRI_NAT_DST_BRIDGED = -300,
    NF_BR_PRI_FILTER_BRIDGED = -200,
    NF_BR_PRI_BRNF = 0,
    NF_BR_PRI_NAT_DST_OTHER = 100,
    NF_BR_PRI_FILTER_OTHER = 200,
    NF_BR_PRI_NAT_SRC = 300,
    NF_BR_PRI_LAST = INT_MAX,
};


THRESH值改变

阈值thresh在什么地方改变呢?这里其实会涉及到规则的嵌套查找。继续看NF_BR_PRE_ROUTING hook点的处理,当执行到NF_BR_PRI_BRNF优先级的规则时,内核在此注册了一个br_nf_pre_routing处理函数。此函数会调用IPv4的NF_INET_PRE_ROUTING hook点规则,调用完后最后由函数br_nf_pre_routing_finish处理。

static struct nf_hook_ops br_nf_ops[] __read_mostly = {
    {
        .hook = br_nf_pre_routing,
        .owner = THIS_MODULE,
        .pf = NFPROTO_BRIDGE,
        .hooknum = NF_BR_PRE_ROUTING,
        .priority = NF_BR_PRI_BRNF,
    },
}


调用上层IPv4的hook点处理后,返回NF_STOLEN,网桥NF_BR_PRE_ROUTING hook点的遍历将在此结束,难道意味着优先级在NF_BR_PRI_BRNF之后的规则都不会被执行。其实不然,在函数br_nf_pre_routing_finish中,内核会直接调用NF_HOOK_THRESH函数(非之前的NF_HOOK封装),此时thresh参数值传入1,根据上文介绍的函数nf_iterate可知,优先级大于1的规则将得到继续运行,即NF_BR_PRI_BRNF(=0)之后优先级的规则会执行。与br_handle_frame一致,遍历完成后交由br_handle_frame_finish处理。


static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops, ...)
{
    NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->sk, skb,
        skb->dev, NULL, br_nf_pre_routing_finish);
		
	return NF_STOLEN;
}

static int br_nf_pre_routing_finish(struct sock *sk, struct sk_buff *skb)
{
    NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, sk, skb,
               skb->dev, NULL, br_handle_frame_finish, 1);
}


内核版本

linux-3.10.0



  • 0
    点赞
  • 0
    评论
  • 3
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

相关推荐
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值