Iptables in-depth analysis

Linux kernel version:3.18.14 file:net/ipv4/netfilter/iptables_filter.c

First, post the important global variable struct xt_table packet_filter:

#defineFilter_valid_hooks (1 <<nf_inet_local_in) | (1<<Nf_inet_forward) | (1<< nf_inet_local_out))Static Const structXt_table Packet_filter ={. Name="Filter",. Valid_hooks=filter_valid_hooks,. Me=this_module,. af=Nfproto_ipv4,. Priority=Nf_ip_pri_filter,};

Look at the code:

1. The first module_init (Iptables_filter_init)

2. Iptables_filter_init--Register_pernet_subsys (&iptable_filter_net_ops)

-- Xt_hook_link(&packet_filter, iptable_filter_hook)/* Iptable_filter_hook Also exists in the current file IPTABLES_FILTER.C */

Look at Iptable_filter_net_ops:

Static struct pernet_operations iptable_filter_net_ops = {    = iptable_filter_net_init,    = Iptable_filter_net_exit,};

3. Look at the initialization function of this network subsystem: Iptable_filter_net_init

--struct Ipt_replace *repl = ipt_alloc_initial_table (&packet_filter)/ * Assigns an initialized table * /

--Net->ipv4.ipvtable_filter = ipt_register_table (NET, &packet_filter, REPL)/ * Register a table, and hang it in the current IPv4 namespace (Control groups related stuff) */

Good! The associated storage structure after ipt_alloc_initial_table is as follows:

Attention to the use of flexible arrays, the ingenious structure design!

A. The allocation of this structure is done by the Xt_alloc_initial_table macro (in the Net/netfilter/xt_repldata.h file)

B. tbl->repl.size = nhooks * sizeof (struct ipt_standard) + sizeof (struct ipt_error)

As the story goes here, the kernel has initialized a initial table and then registers it with the current namespace

Call Ipt_register_table (NET, &packet_filter, repl)/* This repl is pointing to the initial table */

Look at the storage structure of the registered table

Each of these entries points to a memory space that is assigned such a value

memcpy (Entry, repl->entries, repl->size)

is to copy the contents of the memory space that the entries of the initialized table points to (the part of the dotted box in the previous picture).

After the table is registered, the initialized initial table is kfree.

The table is registered well, and the next step is to mount the hook function on the hook point of Inet_proto:

Xt_hook_link (&packet_filter, Iptable_filter_hook), Xt_hook_link Last Call is nf_register_hooks .

Not to be continued ...

Iptables in-depth analysis