NetFilter (2)

In the previous article, we already know how to get control over a packet. So how does netfilter organize the rules to handle the packets that pass through?

We know that in the user layer of the firewall configuration tool iptables, there are four table five chain, five chain is actually the last one mentioned in the five different intercept points, the four tables, the sub-table Filter, Nat, Mangle, Raw, from the name can see their role, here does not speak , that is, when you add a matching rule for a package, you need to specify which intercept point is added to which table, and not all tables support all intercept points, which correspond to the respective intercept points they support:

When adding a rule, you need to indicate which intercept point of the table, which is actually the way NetFilter organizes matching rules in the kernel, let's first look at the structure of the entire netfilter storage rule:

(plot, the dashed arrow in the diagram indicates that the part of the previous structure is enlarged.) The solid line represents the pointer. )

From there, it is clear that in the command space of the network, the XT points to an array of tables, which includes the list header of all the network types of tables, where af_inet represents the Internet firewall, which is the linked header of all the tables in NetFilter, and of course the code in the network system is flexible enough It provides an interface to register the table,

struct xt_table *xt_register_table (struct net *net, struct xt_table *table,   struct xt_table_info *bootstrap,   struct Xt_table_info *newinfo)

The rules for each table are stored in xt_table.private, which is a xt_table_info structure, which stores all matching rules in the table. All rules for a table are stored in contiguous memory, because each table can have five intercept points, so Hook_entry records the offsets of all the rules in the Intercept, and entries gives the starting address of all the rules, so that if you want to find the rules for an intercept point configuration, you can Base + Offset has the rule of getting that intercept point.
The organization of the rules is represented by Ipt_standard, where entry represents a matching method, and target represents the way in which the rule is handled, because the extension rules are supported, so the length of the rules is variable, so each rule needs to indicate its size and the next rule's offset, This is what we see the structure of the ipt_entry, so that the traversal rules can be very convenient to do, in different firewall parsing, you can add their own extension match, Ipt_entry Elems is the matching data part, the code will give a detailed process, When a rule is matched, the next rule can be found according to Ipt_entry.next_offset, so that the entire matching process can be processed sequentially.
In fact, the entire above process is that we have the IP packet processing opportunity at the Intercept point, find the entire matching and processing process, along such a way is easy to understand the entire code framework.
In the NetFilter implementation of IPv4, the registration interception operation of different tables is implemented in code with the same name, that is, the filter table is IPTABLE_FILTER.C to complete the interception registration, we take the OUTPUT intercept point as an example, its registration callback function is Ipt_loca L_out_hook, when a packet is sent, Ipt_local_out_hook is called, and it calls Ipt_do_table to find the matching rule in the corresponding table, and ipt_do_table loops through the matching rules in turn, based on the principle mentioned above. This will enable the firewall to function.
So the last question left is how the configuration rules of the user state are passed to the kernel state, and simply, it is through

#include <sys/types.h>          #include <sys/socket.h>int getsockopt (int sockfd, int level, int optname,void * Optval, socklen_t *optlen); int setsockopt (int sockfd, int level, int optname,const void *optval, socklen_t optlen);

To facilitate the extension, it only defines the framework, each firewall defines its own get and set methods, and IPv4 calls Nf_register_sockopt (&ipt_sockopts) to complete the registration of the two functions. This will allow you to complete the configuration of your own rules.
After knowing the principles of netfilter, I believe that the NetFilter code has been easily read. Finish

NetFilter (2)