enum nf_IP_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_CONNTRACK = -200,
NF_IP_PRI_MANGLE = -150,
NF_IP_PRI_NAT_DST = -100,
NF_IP_PRI_FILTER = 0,
NF_IP_PRI_NAT_SRC = 100,
NF_IP_PRI_LAST = INT_MAX,
};
Hook是提供的处理函数,也就是我们的主要工作,其原型为:
unsigned int nf_hookfn(unsigned int hooknum,
struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *));
它的五个参数将由NFHOOK宏传进去。nf_register_hook根据reg中注册的协议簇类型和优先级在nf_hooks中找到相应的位置并插入到此表中。_hooks[NPROTO][NF_MAX_HOOKS]在Netfilter初始化时(Netfilter_init/Netfilter.c,而它在sock_init时调用)已经初始为一个空表。
例如IPtable在初始化时(init/IPtable_filter.c)调用nf_register_hook注册他的hook函数。
static struct nf_hook_ops IPt_ops[]
= { { { NULL, NULL }, IPt_hook, PF_INET, NF_IP_LOCAL_IN, NF_IP_PRI_FILTER },
{ { NULL, NULL }, IPt_hook, PF_INET, NF_IP_FORWARD, NF_IP_PRI_FILTER },
{ { NULL, NULL }, IPt_local_out_hook, PF_INET, NF_IP_LOCAL_OUT,
NF_IP_PRI_FILTER }
};
mangle在init/IPtable_mangle.c中注册它自己的hook函数。
static struct nf_hook_ops IPt_ops[]
= { { { NULL, NULL }, IPt_hook, PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_MANGLE },
{ { NULL, NULL }, IPt_local_out_hook, PF_INET, NF_IP_LOCAL_OUT,
{NF_IP_PRI_MANGLE }
};
NAT在init/IP_nat_standalone.c中注册它自己的hook函数