Differences between Netfilter in the 2.4 and 2.6 kernels
Source: Internet
Author: User
Copyleft of this document belongs to yfydz and can be freely copied and reproduced when published using GPL. It is strictly prohibited to be used for any commercial purposes.
MSN: yfydz_no1@hotmail.com
Source: http://yfydz.cublog. cn1. preface the basic framework of Netfilter in the 2.4 and 2.6 kernels is the same, but it is a little different in some details. to transplant it, it mainly depends on whether the basic data structure and function definition have changed, this article compares which data structures and functions have been modified. The following comparison uses 2.4.26 and 2.6.8.1. 2. ip_conntrack.h describes the structure of the connection, which is the same as struct ip_conntrack. Two macro definitions are added in 2.6.8.1:/* eg. provides_conntrack (FTP );*/
# Define provides_conntrack (name )/
Int needs_ip_conntrack _ # name ;/
Export_symbol (needs_ip_conntrack _ # Name)/*. eg. needs_conntrack (FTP );*/
# Define needs_conntrack (name )/
Extern int needs_ip_conntrack _ # name ;/
Static int * need_ip_conntrack _ # name _ attribute_used _ = & needs_ip_conntrack _ # name3. In the struct ip_conntrack_helper structure, the parameter definitions of the member function help () have changed: in 2.4.26: int (* Help) (const struct iphdr *, size_t Len,
Struct ip_conntrack * CT,
Enum ip_conntrack_info conntrackinfo); In 2.6.8.1 int (* Help) (struct sk_buff * SKB,
Struct ip_conntrack * CT,
Enum ip_conntrack_info conntrackinfo); in 2.4, the parameters are IP header pointer and IP package length. In 2.6, only struct sk_buff is used. Both parameters can be extracted: iphdr = SKB-> NH. IPH;
Len = SKB-> Len; in addition, the parameter position of the ip_conntrack_expect_related () function is reversed in 2.4 and 2.6: In 2.4.26extern int ip_conntrack_expect_related,
Struct ip_conntrack_regular CT * exp); In 2.6.8.1extern int ip_conntrack_expect_related (struct ip_conntrack_regular CT * exp,
Struct ip_conntrack * related_to); these changes cause modifications to the tracking function of the Multi-connection protocol (FTP, IRC, Amanda, etc. Added a new function in 2.6.8.1:
/* Allocate space for an expectation: This is mandatory before calling
Ip_conntrack_expect_related .*/
Extern struct ip_conntrack_regular CT * ip_conntrack_expect_alloc (void); 4. ip_nat.h is basically the same. The following macro definitions are removed from 2.6:
/* 2.3.19 (I hope) will define this in Linux/netfilter_00004.h .*/
# Ifndef so_original_dst
# Define so_original_dst 80
# Endif5. ip_nat_helper.h does not have the following macro definition in 2.6.8.1:
/* Standalone Nat helper, without a conntrack part */
# Define ip_nat_helper_f_standalone 0x02 does not have the following function definition in 2.6.8.1:
Extern void ip_nat_delete_sack (struct sk_buff * SKB); 6. ip_conntrack_protocol.h parameters of multiple structure functions in the Structure struct ip_conntrack_protocol change: In 2.4.26
/* Try to fill in the third ARG; return true if possible .*/
INT (* pkt_to_tuple) (const void * datah, size_t datalen,
Struct ip_conntrack_tuple * tuple);/* returns verdict for packet, or-1 for invalid .*/
INT (* packet) (struct ip_conntrack * conntrack,
Struct iphdr * IPH, size_t Len,
Enum ip_conntrack_info ctinfo);/* called when a new connection for this Protocol found;
* Returns true if it's OK. If so, packet () called NeXT .*/
INT (* New) (struct ip_conntrack * conntrack, struct iphdr * IPH,
Size_t Len);/* has to decide if a expectation matches one packet or not */
INT (* exp_matches_pkt) (struct ip_conntrack_exact CT * exp,
Struct sk_buff ** pskb); In 2.6.8.1 int (* pkt_to_tuple) (const struct sk_buff * SKB,
Unsigned int dataoff,
Struct ip_conntrack_tuple * tuple);/* returns verdict for packet, or-1 for invalid .*/
INT (* packet) (struct ip_conntrack * conntrack,
Const struct sk_buff * SKB,
Enum ip_conntrack_info ctinfo);/* called when a new connection for this Protocol found;
* Returns true if it's OK. If so, packet () called NeXT .*/
INT (* New) (struct ip_conntrack * conntrack, const struct sk_buff * SKB);/* has to decide if a expectation matches one packet or not */
INT (* exp_matches_pkt) (struct ip_conntrack_exact CT * exp,
Const struct sk_buff * SKB); in general, the difference is to directly pass the data packet pointer struct sk_buff to the function, rather than the specific data header pointer and length, which are parsed by the function itself from the data packet. These changes cause the relevant functions to be modified for each IP layer protocol (TCP/UDP/ICMP) tracking. 7. The manip_pkt () structure function parameters of ip_nat_protocol.h In the struct ip_nat_protocol Structure Change: In 2.4.26
/* Do a packet translation according to the ip_nat_proto_manip
* And manip type .*/
Void (* manip_pkt) (struct iphdr * IPH, size_t Len,
Const struct ip_conntrack_manip * manip,
Enum ip_nat_manip_type maniptype); In 2.6.8.1/* do a packet translation according to the ip_nat_proto_manip
* And manip type. Return true if succeeded .*/
INT (* manip_pkt) (struct sk_buff ** pskb,
Unsigned int hdroff,
Const struct ip_conntrack_manip * manip,
Enum ip_nat_manip_type maniptype); the difference is to directly pass the data packet pointer struct sk_buff to the function, rather than the specific data header pointer and length, which are parsed by the function itself from the data packet.
These changes cause the corresponding functions of the NAT protocol (TCP/UDP/ICMP) of each IP to be modified. 8. The parameter of the match () Structure Function of ip_tables.h in struct ipt_match has changed: In 2.4.26 int (* match) (const struct sk_buff * SKB,
Const struct net_device * In,
Const struct net_device * Out,
Const void * matchinfo,
Int offset,
Const void * HDR,
U_int16_t datalen,
Int * hotdrop); In 2.6.8.1 int (* match) (const struct sk_buff * SKB,
Const struct net_device * In,
Const struct net_device * Out,
Const void * matchinfo,
Int offset,
Int * hotdrop); the data header and length parameters are removed from 2.6, which can be obtained through the struct sk_buff * SKB parameter. This change causes the match () function of all matching modules to be modified. The parameters in struct ipt_target have not changed, but the order of the structure functions has changed. As a result, the order of the structure parameters of all target modules not defined by the ". Name = function" method needs to be modified. 9. The parameter of get_tuple (), a common function of ip_conntrack_core.h, has changed: In 2.4.26extern int get_tuple (const struct iphdr * IPH, size_t Len,
Struct ip_conntrack_tuple * tuple,
Struct ip_conntrack_protocol * Protocol); In 2.6.8.1extern int get_tuple (const struct iphdr * IPH,
Const struct sk_buff * SKB,
Unsigned int dataoff,
Struct ip_conntrack_tuple * tuple,
Const struct ip_conntrack_protocol * Protocol); 2.8 ip_nat_core.h function icmp_reply_translation () parameters slightly changed: In 2.4.26extern unsigned int icmp_reply_translation (struct sk_buff * SKB,
Struct ip_conntrack * conntrack,
Unsigned int hooknum,
Int DIR); In 2.6.8.1
Extern int icmp_reply_translation (struct sk_buff ** pskb,
Struct ip_conntrack * conntrack,
Unsigned int hooknum,
Int DIR); 10. Conclusion: netfilter is not updated much from 2.4 to 2.6. The module in 2.4 can be used in 2.6 with only a few modifications.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
