Netfilter笔记-03
当我们使用nf_register_hook在内核中注册好hook之后,内核是如何来引用的呢?
当设备的硬件接收帧以后,会使用中断事件通知CPU,该帧已经可用了,CPU接收到终端事件之后,会执行do_IRQ函数,IRQ编号会引发正确的处理函数被启用,在该过程中,内核会把帧拷贝到sk_buff数据结构中进行处理。按照IP数据包接收流程
内核会调用ip_rcv函数,此函数内会调用NF_HOOK
return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, dev, NULL,ip_rcv_finish);在NF_HOOK函数中会调用到nf_hook_slow函数,在nf_hook_slow函数中调用了nf_iterate,代码如下:
unsigned int nf_iterate(struct list_head *head,
struct sk_buff *skb,
unsigned int hook,
const struct net_device *indev,
const struct net_device *outdev,
struct nf_hook_ops **elemp,
int (*okfn)(struct sk_buff *),
int hook_thresh)
{
unsigned int verdict;
/*
* The caller must not block between calls to this
* function because of risk of continuing from deleted element.
*/
list_for_each_entry_continue_rcu((*elemp), head, list) {
if (hook_thresh > (*elemp)->priority)
continue;
/* Optimization: we don't need to hold module
reference here, since function can't sleep. --RR */
repeat:
verdict = (*elemp)->hook(hook, skb, indev, outdev, okfn); /* 调用hook func */
if (verdict != NF_ACCEPT) {
#ifdef CONFIG_NETFILTER_DEBUG
if (unlikely((verdict & NF_VERDICT_MASK)
> NF_MAX_VERDICT)) {
NFDEBUG("Evil return from %p(%u).\n",
(*elemp)->hook, hook);
continue;
}
#endif
if (verdict != NF_REPEAT)
return verdict;
goto repeat;
}
}
return NF_ACCEPT;
}
如上代码中verdict = (*elemp)->hook(hook, skb, indev, outdev, okfn);会调用nf_hook_ops中的hook func。也就是NF_HOOK传过来的ip_rcv_finish。在ip_rcv_finish函数中,内核会对packet进行处理,如果内核不接受此数据包,内核会drop packet,并且free sk_buff。