本文主要是介绍THRESH控制网桥netfilter规则执行流程,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
NF_HOOK_THRESH函数的参数thresh控制从何等优先级的hook函数开始执行,所以低于thresh优先级的函数将不会被遍历执行。hook函数的注册由nf_register_hook函数完成。priority的值越小优先级越高,所有注册的hook函数优先级由高到低排序。
int nf_register_hook(struct nf_hook_ops *reg)
{list_for_each_entry(elem, &nf_hooks[reg->pf][reg->hooknum], list) {if (reg->priority < elem->priority)break;}list_add_rcu(®->list, elem->list.prev);
}THRESH初始
以下依据网桥bridge的NF_BR_PRE_ROUTING点为例,数据包首先进入网桥处理函数br_handle_frame,如果目的MAC不是链路本地地址(01:80:c2:00:00:0X),调用NF_HOOK进行NF_BR_PRE_ROUTING hook点的规则处理,NF_HOOK函数调用NF_HOOK_THRESH,此时传递的最后一个参数thresh为最小的有符号整数INT_MIN(0x80000000)。
static inline int NF_HOOK(uint8_t pf, unsigned int hook, ...)
{return NF_HOOK_THRESH(pf, hook, sk, skb, in, out, okfn, INT_MIN);
}
rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
{NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, NULL, skb,skb->dev, NULL, br_handle_frame_finish);
}最终,thresh参数赋值给了nf_hook_state结构的变量state->thresh,查看hook点规则遍历函数nf_iterate可知,所有优先级大于阈值state->thresh的规则都将得到执行。由上可知,thresh的值为INT_MIN,已经是最小值了,所有注册的规则优先级都大于此值,都会执行。
unsigned int nf_iterate(struct list_head *head, struct sk_buff *skb, struct nf_hook_state *state, struct nf_hook_ops **elemp)
{list_for_each_entry_continue_rcu((*elemp), head, list) {if (state->thresh > (*elemp)->priority)continue;
}网桥netfilter HOOK点的优先级定义,优先级的类型为有符号整数:
enum nf_br_hook_priorities {NF_BR_PRI_FIRST = INT_MIN,NF_BR_PRI_NAT_DST_BRIDGED = -300,NF_BR_PRI_FILTER_BRIDGED = -200,NF_BR_PRI_BRNF = 0,NF_BR_PRI_NAT_DST_OTHER = 100,NF_BR_PRI_FILTER_OTHER = 200,NF_BR_PRI_NAT_SRC = 300,NF_BR_PRI_LAST = INT_MAX,
};THRESH值改变
阈值thresh在什么地方改变呢?这里其实会涉及到规则的嵌套查找。继续看NF_BR_PRE_ROUTING hook点的处理,当执行到NF_BR_PRI_BRNF优先级的规则时,内核在此注册了一个br_nf_pre_routing处理函数。此函数会调用IPv4的NF_INET_PRE_ROUTING hook点规则,调用完后最后由函数br_nf_pre_routing_finish处理。
static struct nf_hook_ops br_nf_ops[] __read_mostly = {{.hook = br_nf_pre_routing,.owner = THIS_MODULE,.pf = NFPROTO_BRIDGE,.hooknum = NF_BR_PRE_ROUTING,.priority = NF_BR_PRI_BRNF,},
}调用上层IPv4的hook点处理后,返回NF_STOLEN,网桥NF_BR_PRE_ROUTING hook点的遍历将在此结束,难道意味着优先级在NF_BR_PRI_BRNF之后的规则都不会被执行。其实不然,在函数br_nf_pre_routing_finish中,内核会直接调用NF_HOOK_THRESH函数(非之前的NF_HOOK封装),此时thresh参数值传入1,根据上文介绍的函数nf_iterate可知,优先级大于1的规则将得到继续运行,即NF_BR_PRI_BRNF(=0)之后优先级的规则会执行。与br_handle_frame一致,遍历完成后交由br_handle_frame_finish处理。
static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops, ...)
{NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->sk, skb,skb->dev, NULL, br_nf_pre_routing_finish);return NF_STOLEN;
}static int br_nf_pre_routing_finish(struct sock *sk, struct sk_buff *skb)
{NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, sk, skb,skb->dev, NULL, br_handle_frame_finish, 1);
}内核版本
linux-3.10.0
这篇关于THRESH控制网桥netfilter规则执行流程的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
