ÊDz»ÊÇÒªÖØÐÂÉè¼ÆNetfilterµÄHOOKµãλÖÃÁË£¿ÎÞÒÉÕâÊÇÒ»¸öûÓÐÒâÒåµÄÎÊÌ⣬ÒòΪÄãÎÞ·¨Ö¤Ã÷еķ½°¸¸üºÃ£¬Äã¿ÉÄÜÖ»ÊÇ¿´ÉÏÁËÁíÒ»¸öƽ̨µÄ·½°¸¶øÒÑ£¬¶øÕâ¸ö·½°¸ºÍNetfilterµÄ·½°¸ÊDz»Í¬µÄ¡£ÊÂʵÉÏ£¬ÎÒ¾ÍÊÇÕâÑùÒ»¸öÈË¡£
CiscoµÄACL¿ÉÒÔ±»±àÒëÔڶ˿ÚÉÏ£¬ÊÂʵÉÏCiscoÉ豸µÄÍøÂç¶Ë¿Ú½ÇÉ«ÊÇ¿ÉÒÔ±»¶¨ÒåµÄ£¬LinuxµÄÀíÄîºÍ´ËÍêÈ«²»Í¬£¬LinuxÄÚºËÈÏΪ¶¨Òå½ÇÉ«ÕâÖÖÊÂÊÇÓû§Ì¬µÄÖ°Ôð£¬ÈçºÎҪʵÏÖÒ»¸ö¾ßÓÐÍ걸ÐԵģ¬²»ÒÀÀµÓû§Ì¬ÅäÖõÄÊý¾Ý°üÀ¹½Ø»úÖÆ£¬ÄǾͱØÐëÔÚÐÒéջ·¾¶ÉϽøÐÐÀ¹½Ø¡£»»¾ä»°Ëµ£¬NetfilterÊÇÍêÈ«»ùÓÚskb±¾ÉíÀ´À¹½Ø²¢´¦ÀíÊý¾Ý°üµÄ£¬ÕâÒ»µã¿ÉÒÔ´ÓNF_HOOKºêµÄ²ÎÊý¿´µÃ³öÀ´£¬µ«ÊÇÄã¿ÉÒÔ¿´µ½£¬Ëü»¹ÓÐÁ½¸önet_device²ÎÊý£¬»ùÓÚÕâÒ»µã£¬ÎÒÃǾͿÉÒÔÄ£·ÂCiscoÉ豸µÄ·½Ê½½«¹æÔò°ó¶¨µ½É豸ÁË£¬Õâô×öÊÇÓкô¦µÄ£¬¿ÉÒÔ´ó´óÌá¸ßЧÂÊ¡£±ÈÈçÈç¹ûÄãÅäÖÃÁË10000Ìõ¹æÔò£¬Èç¹ûÓв»Ïà¹ØÍø¿ÚÉ豸½øÀ´µÄÊý¾Ý°ü£¬ÄÇôÕâЩÊý¾Ý°ü¾Í²»±Ø¾¹ýiptables¹æÔòµÄ¹ýÂË¡£
ÐèÒªÐ޸ĵĵط½±È½ÏÉÙ£¬ÕâÀïÖ»¸ø³öipt_hookµÄÐ޸ģº[code]static unsigned int
ipt_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
struct netns_table_per_dev {
struct list_head list;
struct net_device *dev;
struct xt_table *table;
};
// dev_net(in)->ipv4.iptable_filter²»ÔÙÊÇÒ»¸öxt_table£¬¶øÊÇÒ»¸ölist
struct wrap_table {
struct list_head *tb_list;
};
struct xt_table *table;
struct netns_table_per_dev *table_dev;
struct list_head *pos;
struct wrap_table *tb_list = (struct wrap_table *)dev_net(in)->ipv4.iptable_filter;
list_for_each(pos, tb_list->tb_list) {
table_dev = list_entry(pos, struct netns_table_per_dev, dev);
if (table_dev->dev == in) {
table = table_dev->table;
}
}
if (table == NULL) {
return NF_ACCEPT;
}
return ipt_do_table(skb, hook, in, out, table);
}[/code]Ò»¸öÔÚÐÒéÕ»À¹½Ø£¬Ò»¸öÔÚÉ豸À¹½Ø£¬¸ÃÊÖÊõ×öµÄÓеã´ó£¬µß¸²Á˼ÈÓеÄÀíÄ²»ÖªµÀ»á²»»áÓкóÒÅÖ¢¡£
²»¹ÜÔõÑù£¬²»ÄÜ×ß»ðÈëħ¡£
×÷Õߣºnono
