Teach you to write a Linux virtual network card to implement class NVi

We can use the loopback interface on Linux to simulate two stages of routing, the first phase is to go through the Pre/post routing process, NAT implementation, the second phase completes the simple route forwarding. However, it is necessary to hook up the netfilter on the SKB so that the routing items associated with them are canceled and the Conntrack information associated with the SKB is removed, because in the second phase of the simple routing process, I do not want any more conntrack based actions, Therefore, if you need to have an conntrack based operation, be sure to complete the first phase with NAT.

Look back to see the implementation of loopback, is not so perfect, because like on the NetFilter hook completed this thing can be completed in the virtual network card xmit operation, so it is necessary to write a virtual network card, the reason for the final consideration is to write again, because this module is super simple, Basic can be copied LOOPBACK.C implementation, the difference is XMit operation:

Static netdev_tx_t nvi_xmit (struct Sk_buff *skb,

struct Net_device *dev)

{

int Len;

Notice that I wrote the original data into the interface in the SKB mark, so why would I do that? Because...

struct Net_device * Real_dev = Dev_get_by_index (dev_net (Dev), skb->mark);

Skb_orphan (SKB);

Skb->protocol = Eth_type_trans (SKB, Real_dev);

Cancels the associated routing item so that it can be policy at ip_input time routing

Skb_dst_drop (SKB);

Cancel Conntrack because its task has been completed in the first phase

SKB->NFCT = &nf_conntrack_untracked.ct_general;

Skb->nfctinfo = ip_ct_new;

Nf_conntrack_get (SKB->NFCT);

Len = skb->len;

if (Likely (NETIF_RX (SKB) = = net_rx_success)) {

...//do something good? Statistics?

} else {

...//...

}

return NETDEV_TX_OK;

}

The registration of the NVi interface is also very simple:

dev = Alloc_netdev (0, "NVi", Nvi_setup);

Why is it possible to use SKB's mark to deposit the interface index? In fact, on a 32-bit machine it can completely save the original network card dev address, strong to Net_device type pointer. I didn't start by keeping the index of the net card in Mark, because maybe the netfilter hook would use this mark, and I didn't use Mark's mask to hide some bits to save the index, because the unsuspecting person might misuse it. The way I use it is to "make sure there is no netfilter hook to use mark and then overwrite it with the index of the network card, so when is it appropriate?" Proficient NetFilter know, in postrouting the last do this thing is more appropriate, so I put this hook after postrouting nf_confirm. Whether there will be a flow control used to mark I don't care, after all, the flow control is on the physical network card, and the first round of routing independent. But the question is, can I get the index of the original network card when I get to the postrouting? Oh,no! ：

int ip_output (struct sk_buff *skb)

{

struct Net_device *dev = skb_dst (SKB)->dev;

Ip_upd_po_stats (dev_net (Dev), ipstats_mib_out, Skb->len);

Here, Postrouting replaces SKB Dev ...

Skb->dev = Dev;

Skb->protocol = htons (ETH_P_IP);

Return Nf_hook_cond (Pf_inet, nf_inet_post_routing, SKB, NULL, Dev,

Ip_finish_output,

! (IPCB (SKB)->flags & ipskb_rerouted));

}