NETFILTER Reading Chapter 19 Fall 2004 FSU CIS
![NF_HOOK() #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (list_empty(&nf_hooks[(pf)][(hook)]) ? (okfn)(skb) : nf_hook_slow((pf), (hook),](https://slidetodoc.com/presentation_image_h2/e5dc2c4741328b9a9c5b8a6a87ebb3f3/image-4.jpg "NF_HOOK() #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (list_empty(&nf_hooks[(pf)][(hook)]) ? (okfn)(skb) : nf_hook_slow((pf), (hook),")
- Slides: 6
NETFILTER Reading: Chapter 19 Fall 2004 FSU CIS 5930 Internet Protocols 1
NETFILTER Device driver (input) Device driver (output) CRC Check Consistency check NF_IP_PRE_ROUTING NF_IP_POST_ROUTING Forwarded packets Routing NF_IP_FORWARD (iptables: FORWARD) Routing NF_IP_LOCAL_IN (iptables: INPUT) NF_IP_LOCAL_OUT (iptables: OUTPUT) Higher layers Local processes Incoming packets Fall 2004 Outgoing packets FSU CIS 5930 Internet Protocols 2
NETFILTER hooks • A means to insert packet filter code at welldefined locations – NF_IP_PRE_ROUTING – NF_IP_LOCAL_IN – NF_IP_FORWARD – NF_IP_LOCAL_OUT – NF_IP_POST_ROUTING Fall 2004 FSU CIS 5930 Internet Protocols 3
NF_HOOK() #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (list_empty(&nf_hooks[(pf)][(hook)]) ? (okfn)(skb) : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn))) One example: return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u. dst. dev, output_maybe_reroute); Fall 2004 FSU CIS 5930 Internet Protocols 4
Register/unregister hook functions • Template of hook functions typedef unsigned int nf_hookfn(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)); • nf_register_hook() • nf_unregister_hook() Fall 2004 FSU CIS 5930 Internet Protocols 5
struct nf_hook_ops Struct nf_hook_ops { struct list_head nf_hookfn int int }; Fall 2004 list; *hook; pf; hooknum; priority; FSU CIS 5930 Internet Protocols 6
