概述
通过钩子点和优先级的代码追溯,得到如下对应关系图,图中横坐标为钩子点,纵坐标为优先级,每个钩子点上的钩子函数按照优先级排布;(点击图片查看原图)
详细分析
5个钩子点如下所示,在这个五个钩子点上的钩子函数按照上面的优先级从小到大排列;
|
1 2 3 4 5 6 7 8 9 10 11 12 |
/* IP Hooks */ /* After promisc drops, checksum checks. */ #define NF_IP_PRE_ROUTING 0 /* If the packet is destined for this box. */ #define NF_IP_LOCAL_IN 1 /* If the packet is destined for another interface. */ #define NF_IP_FORWARD 2 /* Packets coming from a local process. */ #define NF_IP_LOCAL_OUT 3 /* Packets about to hit the wire. */ #define NF_IP_POST_ROUTING 4 #define NF_IP_NUMHOOKS 5 |
钩子函数的优先级,范围为INT_MINT~INT_MAX,从枚举的名称可以粗略的看出各个表的钩子函数工作的优先级关系;
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
enum nf_ip_hook_priorities { NF_IP_PRI_FIRST = INT_MIN, NF_IP_PRI_CONNTRACK_DEFRAG = -400, NF_IP_PRI_RAW = -300, NF_IP_PRI_SELINUX_FIRST = -225, NF_IP_PRI_CONNTRACK = -200, NF_IP_PRI_MANGLE = -150, NF_IP_PRI_NAT_DST = -100, NF_IP_PRI_FILTER = 0, NF_IP_PRI_SECURITY = 50, NF_IP_PRI_NAT_SRC = 100, NF_IP_PRI_SELINUX_LAST = 225, NF_IP_PRI_CONNTRACK_HELPER = 300, NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, NF_IP_PRI_LAST = INT_MAX, }; |
通过搜索关心的优先级,可以查看对应的钩子函数,如下NF_IP_PRI_CONNTRACK_DEFRAG对应的钩子函数;可见,所在的钩子点为PRE_ROUTING和LOCAL_OUT,钩子函数均为ipv4_conntrack_defrag;使用这种方式一次查看每个优先级,得到本文开头的关系图;
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
static struct nf_hook_ops ipv4_defrag_ops[] = { { .hook = ipv4_conntrack_defrag, .pf = NFPROTO_IPV4, .hooknum = NF_INET_PRE_ROUTING, .priority = NF_IP_PRI_CONNTRACK_DEFRAG, }, { .hook = ipv4_conntrack_defrag, .pf = NFPROTO_IPV4, .hooknum = NF_INET_LOCAL_OUT, .priority = NF_IP_PRI_CONNTRACK_DEFRAG, }, }; |
赞