Network security framework of Linux kernel 2.4.x (1)

1. Overview
Before analyzing the implementation of LINUX2.4.x network security, we will briefly introduce several important concepts in LINUX2.4.x: netfilter, iptables, match, target, nf_sockopt_ops, and network security functions. The detailed explanation will be discussed in later analysis.
The first is netfilter, which defines the check points in the protocol stack and the data structures referenced at the check points, as well as the process of referencing these structures at the check points. Iptables defines the organization of Rules for Implementing network security functions and the operations on rules. A rule contains zero or more matches and one target. The rule organization follows the chain and rule concept in LINUX2.2.x, but adds the table concept. The relationship between the three is: table is the sum of all the rules to implement a function. chain is the set of rules referenced at a Check Point, and rule is a separate rule. Match is used in the rule to match various parameters in the data packet. Each match matches a specific parameter. Therefore, a rule can have multiple matches, including the system-defined match, it also includes the match added through the kernel module. Target determines in the rule how to process the matched data packets, so it implements the specific network security function in target. Nf_sockopt_ops is a data structure referenced in get/setssockopt by the system call. It allows you to add, delete, modify, and query rules in a user space. The above structure must be registered to the system before it can be referenced.
LINUX2.4.x Network Security implements packet filtering. address translation includes the address camouflage and transparent proxy functions in LINUX2.2.x, and has other extensions). Connection Tracking is the basis for realizing address conversion, it records and monitors the connection status, similar to the status detection). Mangle is a new feature of LINUX2.4.x, it checks data packets but does not prohibit, discard, or allow the determination ). To implement these functions, you must register the data structures of netfilter, iptables, match, target, and nf_sockopt_ops. If you implement other new functions, you only need to define the corresponding structure and register it to the system. The configuration tool must also support the new structure through the user space configuration tool) add it to the rule. These structures are automatically referenced in rules.
2. netfilter
Netfilter defines the data structures referenced by checkpoints and checkpoints in the protocol stack and the process of referencing these data structures. First, let's look at the data structure referenced at the check point ,:

Figure 2.1 Organization of nf_hoo_ops Data Structure
In the figure, ns_hook_ops is the structure referenced at the check point. Each protocol stack pre-defined 8 Linked List arrays are used to save these structures. These linked lists correspond to checkpoints in the protocol stack one by one. In practice, these eight linked lists are not always used. For example, in IPV4, only five checkpoints are defined, which correspond to the first five linked lists respectively. The structure of nf_hook_ops is as follows:

Struct nf_hook_ops {struct list_head list; nf_hookfn hook;/* function pointer */int pf;/* protocol stack Number */int hooknum corresponding to the structure; /* Check Point number corresponding to the structure */int priority;/* structure priority value */};