Netfilter 之 table、rule、match、target

概述

本文主要分析table,rule,match,target的作用和其数据结构之间的关系,为后面的匹配流程做铺垫,通过本文中代码流程的分析,可以得到如下的关系图(点击图片查看原图):

 

详细分析
table

iptables分为五种:

filter:This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).

nat:This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).

mangle:This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

raw:This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

security:This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the box).

在net结构中的成员struct netns_xt xt,是用来存储所有table的,

 

netns_xt结构的成员如下,其中tables存储了多种协议对应的table链表,每种协议对应一个链表,多种table存储在自己所属协议的链表上;

 

接下来,再来看下table结构,定义每个具体类型的table:

 

xt_table的private成员又指向了xt_table_info结构,存储真正的规则相关信息,包括入口和偏移;

 

xt_table_info结构的entries成员指向了匹配规则的入口,入口的每个数组包含了多个rule;

rule

ipt_standard结构对应着一条rule,其中包含ipt_entry+xt_entry_match+xt_standard_target;

 

rule是规则的整体,下面分别介绍规则中的每个成员:

match

用于规则匹配,其中分为标准match和扩展match;

标准match通过匹配ipt_entry->ip成员进行,主要是ip中包含的地址,接口,协议信息等;

扩展match通过xt_entry_match成员进行,是标准match的扩展,通常以模块或者插件形式存在;

 

ipt_entry是一条规则的入口,其首部包含标准match结构,其余字段存储了target偏移,下一个ipt_entry的偏移,扩展match入口等:

 

ipt_entry中包含ipt_ip结构,用于标准match,匹配内容为源目的地址,入出口设备,协议等,其结构如下:

 

xt_entry_match紧接着ipt_entry,可能有多个,用于扩展match;

target

在某条规则匹配之后,执行的动作;也分为标准target和扩展target;

标准target:t->u.kernel.target->target为NULL,则为标准target,根据verdict返回值决定如何进行下一步处理;

扩展target:t->u.kernel.target->target不为NULL,则为扩展target,这时候需要执行该target函数;

xt_standard_target对xt_entry_target成员进行了封装,增加了verdict,该字段用于返回处理结果给Netfilter;

 

xt_entry_target结构的定义与match的形式几乎是一致的;

 

本文链接:Netfilter 之 table、rule、match、target

转载声明:转载请注明来源:Linux TCP/IP Stack,谢谢!


发表评论

电子邮件地址不会被公开。 必填项已用*标注