@(Linux network)

netfilter struct 整理

结构体关系图

阐述了结构体之间的关联

---

xt_table

在net->netns_ipv4结构体中，包含了如下几个xt_table

• iptable_filter
• iptable_mangle
• iptable_raw
• arptable_filter
• nat_filter

struct xt_table {    struct list_head list;//xt_table list    /* What hooks you will enter on */    // 此table中包含的chain，譬如nat table就不包含forward chain    // 在hook point，会去执行相应nf_hook[][] list上的hook_fn. 而不同的hook_fn会去查对应模块的table.    // 就是说, nat 注册的hook_fn 不会去在nat table中查找forward chain    unsigned int valid_hooks;    /* Man behind the curtain... */    // 具体存储table 内容    struct xt_table_info *private;    /* Set this to THIS_MODULE if you are a module, otherwise NULL */    struct module *me;    u_int8_t af;        /* address/protocol family */    int priority;        /* hook order */    /* A unique name... */    // 表名    const char name[XT_TABLE_MAXNAMELEN];};

下面来看private指针指向的结构体，这个结构体中具体存储了xt_entry结构体，每个xt_entry对应一条规则。

struct xt_table_info {    /* Size per table */    // table 的大小    unsigned int size;    /* Number of entries: FIXME. --RR */    // 包含的entry个数    unsigned int number;    /* Initial number of entries. Needed for module usage count */    // table的起始entry offset    unsigned int initial_entries;    /* Entry points and underflows */    // hook_entry[] 存储了每个chain 对应的起始entry offset    // underflow[] 存储了每个chain 最后一个entry的offset    unsigned int hook_entry[NF_INET_NUMHOOKS];    unsigned int underflow[NF_INET_NUMHOOKS];    /*     * Number of user chains. Since tables cannot have loops, at most     * @stacksize jumps (number of user chains) can possibly be made.     */    // scott added:     // we can only jump form hook chains to user chains, PRE_ROUTING-> POST_ROUTING are not supported.    // so stacksize is the number of user chains and the max value of jump times.    // And also, jumpstack can only store child chain entry.    // 当chain之间发生jump的时候(A->B)，只需要将A中当前的entry push进stack即可。所以jumpstack最大只需要存储user chains个数的entry.         // 如果B chain的某个entry target为XT_RETURN,则从stack中pop出A中的entry,并顺着A chain往下匹配.    unsigned int stacksize;    unsigned int __percpu *stackptr;    // 等同于 jumpstack[cpuid][entry*]    void ***jumpstack;        //保存的entries    unsigned char entries[0] __aligned(8);};

---

ipt_entry

ipt_entry具体的定义了每一条规则，例如

iptables -t nat -A PREROUTING -s 12.12.12.12 -ptcp --dport 808 -j DROP

/* This structure defines each of the firewall rules.  Consists of 3 parts which are*/ // 1) general IP header stuff // 2) match specific stuff // 3) the target to perform if the rule matchesstruct ipt_entry {    //存放了标准匹配    struct ipt_ip ip;    /* Mark with fields that we care about. */    unsigned int nfcache;    /* Size of ipt_entry + matches */    // 指定了target 元素的地址    // target_offset = elems + sizeof(xt_match) * numof(matchs)    __u16 target_offset;    /* Size of ipt_entry + matches + target */    // 下一个xt_entry的地址    __u16 next_offset;    /* Back pointer */    // 从哪个entry 过来的    unsigned int comefrom;    /* Packet and byte counters. */    // 计数 packet 和 byte?    struct xt_counters counters;    /* The matches (if any), then the target. */    // elems中保存了xt_match 和 xt_target.    // xt_match 和 xt_target 地址偏移在 target_offset指定    unsigned char elems[0];};

ipt_entry 看起来还是比较简单的，下面这张图解释的对ipt_entry比较清楚:

注意，ipt_ip结构中存放的是标准匹配，如 ip , netmask ,prototype,interface 等，扩展匹配等才存放在xt_match结构中。

/* Yes, Virginia, you have to zero the padding. */struct ipt_ip {    /* Source and destination IP addr */    struct in_addr src, dst;    /* Mask for src and dest IP addr */    struct in_addr smsk, dmsk;    char iniface[IFNAMSIZ], outiface[IFNAMSIZ];    unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];    /* Protocol, 0 = ANY */    __u16 proto;    /* Flags word */    //SYN, ACK, FIN, RST ...    __u8 flags;    /* Inverse flags */    __u8 invflags;};

---

xt_entry_match

xt_entry_match 中主要保存了拓展match，在iptables中用-m 表示，在下例中，使用拓展socket match:

iptables -t nat -A PREROUTING -m socket -j DIVERT

struct xt_entry_match {    union {        struct {            __u16 match_size;            /* Used by userspace */            char name[XT_EXTENSION_MAXNAMELEN];            __u8 revision;        } user;        struct {            __u16 match_size;            /* Used inside the kernel */            struct xt_match *match;        } kernel;        /* Total length */        __u16 match_size;    } u;    unsigned char data[0];};

注意: 在/usr/include /下的头文件，提供的都是用户态编写程序的接口。只有真正kernel src中提供的include文件，才是编写内核代码时需要引入的头文件。

例如 xt_entry_match，在/usr/include/linux/netfilter/x_tables.h中和内核代码 /usr/src/kernels/3.10.0-514.el7.x86_64/include/linux/netfilter/都有定义，但是只有内核代码文件中才包含xt_match结构的定义。用户文件中是没有次结构定义的。

union struct

这块是用户和内核共同操作的一块地址。当我们通过iptables添加规则的时候，用户态也会创建xt_entry_match结构，并将user.name设置为match名称，内核拿到此结构后，通过name的值，找到匹配的xt_match结构，并使kernel.match指向它。也就是说，name的值会被覆盖，但是没有关系，因为存储在table chain中的时候，xt_entry_match不需要name,只需要xt_match即可。

这里我们需要关注的xt_match结构体，其具体指向了一个匹配

xt_match

xt_match是内核的匹配模块，需要先注册，才能使用。

xt_register_match(&pktsize_match);

也就是说，xt_match结构体是公用的，当创建多个xt_entry_match的时候，其指向的都是match list中的该match, 但是xt_entry_match是不同的。

struct xt_match {    //extend match list?    struct list_head list;        //match name    const char name[XT_EXTENSION_MAXNAMELEN];    u_int8_t revision;    /* Return true or false: return FALSE and set *hotdrop = 1 to           force immediate packet drop. */    /* Arguments changed since 2.6.9, as this must now handle       non-linear skb, using skb_header_pointer and       skb_ip_make_writable. */    //match 函数，判断sk_buff是否满足该match,入参为sk_buff报文 以及    //xt_action_param 用来match和target的参数    bool (*match)(const struct sk_buff *skb,              struct xt_action_param *);    /* Called when user tries to insert an entry of this type. */    // 新建match entry的时候check    int (*checkentry)(const struct xt_mtchk_param *);    /* Called when entry of this type deleted. */    // 删除该类型match 的时候调用    void (*destroy)(const struct xt_mtdtor_param *);#ifdef CONFIG_COMPAT    /* Called when userspace align differs from kernel space one */    void (*compat_from_user)(void *dst, const void *src);    int (*compat_to_user)(void __user *dst, const void *src);#endif    /* Set this to THIS_MODULE if you are a module, otherwise NULL */    struct module *me;    const char *table;    unsigned int matchsize;#ifdef CONFIG_COMPAT    unsigned int compatsize;#endif    unsigned int hooks;    unsigned short proto;    unsigned short family;};

注意: 这里重要的match指针函数，

bool (*match)(const struct sk_buff *skb, struct xt_action_param *);

skb 为需要处理的报文，xt_action_param则指向了匹配规则，网口信息等。这个后面还需要看这个参数是怎么构建以及传入的。

xt_action_param

mtach或者target操作的时候，传入的参数。这个结构体是被xt_match和xt_target公用的，因此很多参数采用union

// struct xt_action_param - parameters for matches/targets // // @match:    the match extension // @target:    the target extension // @matchinfo:    per-match data // @targetinfo:    per-target data // @in:        input netdevice // @out:    output netdevice // @fragoff:    packet is a fragment, this is the data offset // @thoff:    position of transport header relative to skb->data // @hook:    hook number given packet came from // @family:    Actual NFPROTO_* through which the function is invoked //        (helpful when match->family == NFPROTO_UNSPEC) // // Fields written to by extensions: // // @hotdrop:    drop packet if we had inspection problems // Network namespace obtainable using dev_net(in/out)struct xt_action_param {    union {        const struct xt_match *match;        const struct xt_target *target;    };    union {        //配置的match 匹配参数        const void *matchinfo, *targinfo;    };    const struct net_device *in, *out;    //分片报文的偏移量    int fragoff;    unsigned int thoff;    //packet从哪个hook点过来的    unsigned int hooknum;    u_int8_t family;    //hotdrop = 1立刻丢掉此packet    bool hotdrop;};

xt_entry_target

创建iptable 规则时指定的动作，xt_entry_target依赖xt_target，extend target 需要register到xt_af[pf].target list.

xt_entry_target , xt_target 和 xt_entry_match，xt_match的结构类似。

struct xt_entry_target {    union {        struct {            __u16 target_size;            /* Used by userspace */            char name[XT_EXTENSION_MAXNAMELEN];            __u8 revision;        } user;        struct {            __u16 target_size;            /* Used inside the kernel */            struct xt_target *target;        } kernel;        /* Total length */        __u16 target_size;    } u;    unsigned char data[0];};

/* Registration hooks for targets. */struct xt_target {    struct list_head list;    const char name[XT_EXTENSION_MAXNAMELEN];    u_int8_t revision;    /* Returns verdict. Argument order changed since 2.6.9, as this       must now handle non-linear skbs, using skb_copy_bits and       skb_ip_make_writable. */    unsigned int (*target)(struct sk_buff *skb,                   const struct xt_action_param *);    /* Called when user tries to insert an entry of this type:           hook_mask is a bitmask of hooks from which it can be           called. */    /* Should return 0 on success or an error code otherwise (-Exxxx). */    int (*checkentry)(const struct xt_tgchk_param *);    /* Called when entry of this type deleted. */    void (*destroy)(const struct xt_tgdtor_param *);#ifdef CONFIG_COMPAT    /* Called when userspace align differs from kernel space one */    void (*compat_from_user)(void *dst, const void *src);    int (*compat_to_user)(void __user *dst, const void *src);#endif    /* Set this to THIS_MODULE if you are a module, otherwise NULL */    struct module *me;    const char *table;    unsigned int targetsize;#ifdef CONFIG_COMPAT    unsigned int compatsize;#endif    unsigned int hooks;    unsigned short proto;    unsigned short family;    RH_KABI_RESERVE(1)    RH_KABI_RESERVE(2)    RH_KABI_RESERVE(3)    RH_KABI_RESERVE(4)};