Net Filter Reporter milk netfilter NFIPPRE ROUTING ROUTE

  • Slides: 10
Download presentation
Net. Filter簡介 Reporter: milk

Net. Filter簡介 Reporter: milk

netfilter的架構 NF_IP_PRE_ ROUTING ROUTE NF_IP_FORWARD NF_IP_POST _ROUTING ROUTE NF_IP_LOCAL_IN NF_IP_LOCAL_OUT local process

netfilter的架構 NF_IP_PRE_ ROUTING ROUTE NF_IP_FORWARD NF_IP_POST _ROUTING ROUTE NF_IP_LOCAL_IN NF_IP_LOCAL_OUT local process

Hook點的結構 n struct nf_hook_ops { struct list_head list; nf_hookfn hook; int pf; int hooknum;

Hook點的結構 n struct nf_hook_ops { struct list_head list; nf_hookfn hook; int pf; int hooknum; int priority; }; /* 函數指標 */ /* 結構對應的協定編號 */ /* 結構對應的hook點*/ /* 結構的優先值 */

Filtering by address static struct nf_hook_ops nfho; int init_module() { nfho. hook = hook_func;

Filtering by address static struct nf_hook_ops nfho; int init_module() { nfho. hook = hook_func; nfho. hooknum = NF_IP_PRE_ROUTING; nfho. pf = PF_INET; nfho. priority = NF_IP_PRI_FIRST; nf_register_hook(&nfho); return 0; } void cleanup_module() { nf_unregister_hook(&nfho); }

unsigned int hook_func(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct

unsigned int hook_func(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { unsigned char *deny_ip = "x 7 Fx 00x 01"; /* 127. 0. 0. 1 */ if (skb->nh. iph->saddr == *(unsigned int *)deny_ip) { return NF_DROP; } return NF_ACCEPT; }