阅读:5756回复:0
2.6内核nf_hook分析
NF_HOOK为linux网络中添加自己的代码变得更加方便。但是linux2.4内核与linux2.6内核nf_hook发生了一下变化:
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN) #define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \ ({int __ret; \ if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, INT_MIN, cond)) == 1)\ __ret = (okfn)(skb); \ __ret;}) 这里重点是NF_HOOK_THRESH: #define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \ ({int __ret; \ if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, thresh, 1)) == 1)\ __ret = (okfn)(skb); \ __ret;}) 可以看出nf_hook_thresh是真正的执行函数。但是只有该函数返回为1,才会执行okfn函数。 static inline int nf_hook_thresh(int pf, unsigned int hook, struct sk_buff **pskb, struct net_device *indev, struct net_device *outdev, int (*okfn)(struct sk_buff *), int thresh, int cond) { if (!cond) return 1; #ifndef CONFIG_NETFILTER_DEBUG if (list_empty(&nf_hooks[pf][hook])) return 1; #endif return nf_hook_slow(pf, hook, pskb, indev, outdev, okfn, thresh); } 如果cond为0,则不会执行用户插入的HOOK模块。这里主要是再Native VPN中使用。我们来看看: return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev, xfrm4_output_finish, !(IPCB(skb)->flags & IPSKB_REROUTED)); 如果是重新路由,则不再执行。这里是XFRM框架部分。如果有对XFRM架构感兴趣的可以一起来讨论,我正在重新实现LINUX XFRM框架,呵呵 ! |
|
|