Netfilter学习之NAT类型动态配置（七）全锥型NAT内核空间实现

本文主要是介绍Netfilter学习之NAT类型动态配置（七）全锥型NAT内核空间实现，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

本文主要实现全锥型NAT的内核空间iptables命令行扩展对应的钩子函数及其功能的实现。实现思路见上文。

1.关键部分实现代码

（1）建立ipt_FULLCONE.c以激活钩子函数，关键在于保持和用户空间libipt的一致性。

static struct xt_target fullcone_tg_reg __read_mostly = {.name		= "FULLCONE",.family		= NFPROTO_IPV4,.target		= fullcone_tg,.targetsize	= sizeof(struct nf_nat_ipv4_multi_range_compat),.table		= "nat",.hooks		= 1 << NF_INET_PRE_ROUTING,.checkentry	= fullcone_tg_check,.destroy	= fullcone_tg_destroy,.me		= THIS_MODULE,
};

在fullcone_tg中调用nf_nat_fullcone_ipv4

static unsigned int
fullcone_tg(struct sk_buff *skb, const struct xt_action_param *par)
{struct nf_nat_range range;const struct nf_nat_ipv4_multi_range_compat *mr;mr = par->targinfo;range.flags = mr->range[0].flags;range.min_proto = mr->range[0].min;range.max_proto = mr->range[0].max;return nf_nat_fullcone_ipv4(skb, xt_hooknum(par), &range,xt_out(par));
}

（2）在nf_nat_fullcone_ipv4.c中实现具体功能

unsigned int
nf_nat_fullcone_ipv4(struct sk_buff *skb, unsigned int hooknum,const struct nf_nat_range *range,const struct net_device *out)
{struct nf_conn *ct;struct nf_conn_nat *nat;enum ip_conntrack_info ctinfo;struct nf_nat_range newrange;__be32 newdst;//we need to monitor packets at prerouting and put dst to nf_nat_setup_infoNF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING);ct = nf_ct_get(skb, &ctinfo);		//get infomationn from socketsnat = nfct_nat(ct);NF_CT_ASSERT（ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED || ctinfo == IP_CT_RELATED_REPLY)）；/* Source address is 0.0.0.0 - locally generated packet that is* probably not supposed to be masqueraded.*/if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 0)return NF_ACCEPT;newdst = nf_nat_fullcone_match(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);if (newdst){//transfer from original rangememset(&newrange.min_addr, 0, sizeof(newrange.min_addr));memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS;newrange.min_addr.ip = newdst;newrange.max_addr.ip = newdst;newrange.min_proto = range->min_proto;newrange.max_proto = range->max_proto;//Hnad modified range to generic setup. Change dst by normal way.return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);}elsereturn NF_ACCEPT;			
}
EXPORT_SYMBOL_GPL(nf_nat_fullcone_ipv4);

（3）进入nf_nat_core.c中，调用nf_nat_setup_info，详细源码介绍可见前文《Netfilter学习之NAT类型动态配置（四）nf_nat_core.c源码解析》

改动代码如下：

unsigned int
nf_nat_setup_info(struct nf_conn *ct,const struct nf_nat_range *range,enum nf_nat_manip_type maniptype)
{struct net *net = nf_ct_net(ct);struct nf_conntrack_tuple curr_tuple, new_tuple;/* Can't setup nat info for confirmed ct. */if (nf_ct_is_confirmed(ct))return NF_ACCEPT;WARN_ON(maniptype != NF_NAT_MANIP_SRC &&maniptype != NF_NAT_MANIP_DST);if (WARN_ON(nf_nat_initialized(ct, maniptype)))return NF_DROP;/* What we've got will look like inverse of reply. Normally* this is what is in the conntrack, except for prior* manipulations (future optimization: if num_manips == 0,* orig_tp = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)*/nf_ct_invert_tuplepr(&curr_tuple,&ct->tuplehash[IP_CT_DIR_REPLY].tuple);get_unique_tuple(&new_tuple, &curr_tuple, range, ct, maniptype);if (!nf_ct_tuple_equal(&new_tuple, &curr_tuple)) {struct nf_conntrack_tuple reply;/* Alter conntrack table so will recognize replies. */nf_ct_invert_tuplepr(&reply, &new_tuple);nf_conntrack_alter_reply(ct, &reply);/* Non-atomic: we own this at the moment. */if (maniptype == NF_NAT_MANIP_SRC)ct->status |= IPS_SRC_NAT;elsect->status |= IPS_DST_NAT;if (nfct_help(ct) && !nfct_seqadj(ct))if (!nfct_seqadj_ext_add(ct))return NF_DROP;}if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip != ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip){listnode = (struct MatchTupleList *)kmalloc(sizeof(struct MatchTupleList), GFP_KERNEL);listnode->tuple.src = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src;listnode->tuple.dst = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst;listnode->specifiedIP = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip;list_add_tail(&listnode->list, &TupleHead.list);}if (maniptype == NF_NAT_MANIP_SRC) {unsigned int srchash;spinlock_t *lock;srchash = hash_by_src(net,&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);lock = &nf_nat_locks[srchash % CONNTRACK_LOCKS];spin_lock_bh(lock);hlist_add_head_rcu(&ct->nat_bysource,&nf_nat_bysource[srchash]);spin_unlock_bh(lock);}/* It's done. */if (maniptype == NF_NAT_MANIP_DST)ct->status |= IPS_DST_NAT_DONE;elsect->status |= IPS_SRC_NAT_DONE;return NF_ACCEPT;
}
EXPORT_SYMBOL(nf_nat_setup_info);