屏蔽iptables链遇到的问题
我在netfilter.h中更改了NF_HOOK宏函数,屏蔽掉NF_INET_LOCAL_IN和NF_INET_LOCAL_OUT钩子,直接调用finish函数,其他钩子正常,但是为什么用iptables -vnL看到INPUT链没数据而OUTPUT链还是会有数据??
作者: zzappled 发布时间: 2011-01-11
你怎么屏蔽的
作者: Godbach 发布时间: 2011-01-11
如在ip_input.c中有函数:
int ip_local_deliver(struct sk_buff *skb)
{
/*
* Reassemble IP fragments.
*/
if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
if (ip_defrag(skb, IP_DEFRAG_LOCAL_DELIVER))
return 0;
}
return NF_HOOK(PF_INET, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
ip_local_deliver_finish);
}
都会调用NF_HOOK函数,所以在netfilter.h中更改了NF_HOOK宏函数:
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (hook==NF_INET_LOCAL_IN || hook==NF_INET_LOCAL_OUT)?(okfn)(skb):\
NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN)
int ip_local_deliver(struct sk_buff *skb)
{
/*
* Reassemble IP fragments.
*/
if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
if (ip_defrag(skb, IP_DEFRAG_LOCAL_DELIVER))
return 0;
}
return NF_HOOK(PF_INET, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
ip_local_deliver_finish);
}
都会调用NF_HOOK函数,所以在netfilter.h中更改了NF_HOOK宏函数:
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (hook==NF_INET_LOCAL_IN || hook==NF_INET_LOCAL_OUT)?(okfn)(skb):\
NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN)
作者: zzappled 发布时间: 2011-01-11
什么内核版本
作者: Godbach 发布时间: 2011-01-11
2.6.30.10的
作者: zzappled 发布时间: 2011-01-11
QUOTE:
return NF_HOOK(PF_INET, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
ip_local_deliver_finish);
ip_local_deliver_finish);
试一下直接调用 ip_local_deliver_finish。
OUTPUT 处也这样处理一下。
BTW,你这样做的需求是什么啊
作者: Godbach 发布时间: 2011-01-11
找到原因了,在/net/ipv4/ip_output.c中调用到了nf_hook函数,所以在netfilter.h中有函数:
static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
struct net_device *indev, struct net_device *outdev,
int (*okfn)(struct sk_buff *))
{
return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
/*修改为下面的就OK了
return (hook==NF_INET_LOCAL_IN || hook==NF_INET_LOCAL_OUT || hook==1 ||hook==3)?(okfn)(skb):nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
*/
}
减少用不到链表可以减少枷锁处理的次数,较快点效率
Thanks!
static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
struct net_device *indev, struct net_device *outdev,
int (*okfn)(struct sk_buff *))
{
return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
/*修改为下面的就OK了
return (hook==NF_INET_LOCAL_IN || hook==NF_INET_LOCAL_OUT || hook==1 ||hook==3)?(okfn)(skb):nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
*/
}
减少用不到链表可以减少枷锁处理的次数,较快点效率
Thanks!
作者: zzappled 发布时间: 2011-01-11
找到原因了,在/net/ipv4/ip_output.c中调用到了nf_hook函数,所以在netfilter.h中有函数:
static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
struct net_device *indev, struct net_device *outdev,
int (*okfn)(struct sk_buff *))
{
return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
/*修改为下面的就OK了
return (hook==NF_INET_LOCAL_IN || hook==NF_INET_LOCAL_OUT || hook==1 ||hook==3)?(okfn)(skb):nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
*/
}
减少用不到链表可以减少枷锁处理的次数,较快点效率
Thanks!
static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
struct net_device *indev, struct net_device *outdev,
int (*okfn)(struct sk_buff *))
{
return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
/*修改为下面的就OK了
return (hook==NF_INET_LOCAL_IN || hook==NF_INET_LOCAL_OUT || hook==1 ||hook==3)?(okfn)(skb):nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
*/
}
减少用不到链表可以减少枷锁处理的次数,较快点效率
Thanks!
作者: zzappled 发布时间: 2011-01-11