【内核协议栈】Netfilter 之 iptable_filter

1、Filter表的初始化

入口在net/ipv4/netfilter/iptable_filter.c中

1.1、Filter表信息

static const struct xt_table packet_filter = {
	.name		= "filter",
	.valid_hooks	= FILTER_VALID_HOOKS,
	.me		= THIS_MODULE,
	.af		= NFPROTO_IPV4,
	.priority	= NF_IP_PRI_FILTER,
	.table_init	= iptable_filter_table_init,
};

1.2、内核加载初始化 iptable_filter_init

static int __init iptable_filter_init(void)
{
	int ret;

	filter_ops = xt_hook_ops_alloc(&packet_filter, iptable_filter_hook);
	if (IS_ERR(filter_ops))
		return PTR_ERR(filter_ops);

	ret = register_pernet_subsys(&iptable_filter_net_ops);
	if (ret < 0)
		kfree(filter_ops);

	return ret;
}

1.3、Filter表初始化

static int __net_init iptable_filter_table_init(struct net *net)
{
	struct ipt_replace *repl;
	int err;
	/* filter表已经被初始化了，返回 */
	if (net->ipv4.iptable_filter)
		return 0;
	/* 分配初始化表，用于下面的表注册 */
	repl = ipt_alloc_initial_table(&packet_filter);
	if (repl == NULL)
		return -ENOMEM;
	/* Entry 1 is the FORWARD hook */
	 /* 入口1是否为FORWARD钩子点时的verdict值设置 */
	((struct ipt_standard *)repl->entries)[1].target.verdict =
		forward ? -NF_ACCEPT - 1 : -NF_DROP - 1;
	/* 注册filter表，注册后，ipv4.iptable_filter保存了注册后的新表 */
	err = ipt_register_table(net, &packet_filter, repl, filter_ops,
				 &net->ipv4.iptable_filter);
	/* 释放初始化表 */
	kfree(repl);
	return err;
}