以NF_INET_PRE_ROUTING为例,当数据包到达NF_INET_PRE_ROUTING钩子点时,会按照以下顺序执行相关操作: 1. 新的报文:先经过ip_recv,然后到达PREROUTING HOOK点。 2. 优先级NF_IP_PRI_CONNTRACK:执行NF_IP_PRI_CONNTRACK优先级的规则。 3. 优先级NF_IP_PRI_MANGLE:执行NF_IP_PRI_MANGLE优先级的规则。 4. ...
bridge_nf代码有时候会引起困惑,就像我们在图中看到的那样,代表 iptables 表和链的绿色小方框跑到了链路层,netfilter 文档对此也有说明ebtables/iptables interaction on a Linux-based bridge It should be noted that the br-nf code sometimes violates the TCP/IP Network Model. As will be seen later, it is...
* address to be able to detect DNAT afterwards. */staticunsignedintbr_nf_pre_routing(unsignedinthook, struct sk_buff *skb,conststruct net_device *in,conststruct net_device *out,int(*okfn)(struct sk_buff *)){structnet_bridge_port*p;structnet_bridge*br;__u32 len = nf_bridge_encap_hea...
Fig.1 Hook Point of netfilter [选择]NF_IP_PRE_ROUTING(local process所发送的包不在限制之列) 3、NF_IP_PRE_ROUTING下优先级的选择 Hook点的Hook函数依照优先级一次执行。 2.6Kernel下(2.4Kernel下自己查询)PREROUTING的HOOK操作主要有(依优先级大小): (1).hook = ip_sabotage .priority = NF_IP_PRI_FI...
NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, sk, skb, skb->dev,NULL, br_handle_frame_finish,1);return0; } 开发者ID:DenisLug,项目名称:mptcp,代码行数:58,代码来源:br_netfilter_ipv6.c 示例2: br_nf_forward_arp ▲点赞 7▼ ...
认真看头文件,头文件上面有说明。两者的值是一样的。NF_IP_*和NF_IP6_*都不能用在新的内核,内核/内核模块要用NF_INET_*。我记得没错的话,这种转变是从2.6.25的内核开始,当时还没有NF_INET_*,全部都用NF_IP系列的。现在,NF_IP_*只是为了兼容用户程序而保留的,一般应该用NF_INET_*...
在Linux 下这个软件实现交换机的技术就叫做 bridge(再强调下,这是纯软件实现的)。...为了方便大家理解,接下来我们通过动手实践的方式,在一台 Linux 上创建一个小型的虚拟网络出来,并让它们之间互相通信。...forward: NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, br_handle_frame_fin...
Linux的bridge代码中,bridge-nf-call-iptables体现在br_nf_pre_routing函数中,该函数也是一个Netfilter HOOK函数: static struct nf_hook_ops br_nf_ops[] __read_mostly = { { .hook = br_nf_pre_routing, .owner = THIS_MODULE, .pf = PF_BRIDGE, ...
printk(KERN_CRIT "br_netfilter: skb->dst == NULL."); return NF_ACCEPT; } #endif nf_bridge = skb->nf_bridge; nf_bridge->physoutdev = skb->dev; realindev = nf_bridge->physindev; /* Bridged, take PF_BRIDGE/FORWARD. * (see big note in front of br_nf_pre_routing_finish) */...
NF_INET_POST_ROUTING, NF_INET_NUMHOOKS };/*BR、IP 与 INET 是一致的 NF_XXX_PRE_ROUTING, NF_XXX_LOCAL_IN, NF_XXX_FORWARD, NF_XXX_LOCAL_OUT, NF_XXX_POST_ROUTING, NF_XXX_NUMHOOKS*/ 6、触发钩子函数 钩子函数已经被保存到不同的链上,什么时候才会触发调用这些钩子函数来处理数据包?