孔志奎

孔志奎的博客

他的个人主页  他的博客

基于netfilter机制的IP数据包过滤驱动模版

孔志奎  2012年04月20日 星期五 16:38 | 2722次浏览 | 0条评论

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/ip.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/if_arp.h>
#include <linux/if_ether.h>
#include <linux/if_vlan.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/netfilter_arp.h>
#include <linux/in_route.h>

#include <net/ip.h>
#include <net/ipv6.h>
#include <net/route.h>

#include <asm/uaccess.h>
#include <asm/checksum.h>


#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_pre_routing(unsigned int hook,
                                        struct sk_buff *skb,
                                        const struct net_device *in,
                                        const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_pre_routing(unsigned int hook,
                                        struct sk_buff **pskb,
                                        const struct net_device *in,
                                        const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
  return NF_ACCEPT;
}

static unsigned int
demo_nf_pre_routing_ipv6(unsigned int hook,
                         struct sk_buff *skb,
                         const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
  return NF_ACCEPT;
}

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_local_in(unsigned int hook,
                                     struct sk_buff *skb,
                                     const struct net_device *in,
                                     const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_local_in(unsigned int hook,
                                     struct sk_buff **pskb,
                                     const struct net_device *in,
                                     const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
  DBGDBG("entered, packet len: %d\n", skb->len + skb->mac_len);
  DBGHEX(skb->mac_header, skb->mac_len + skb->len);
  return NF_ACCEPT;
}

static unsigned int
demo_nf_local_in_ipv6(unsigned int hook,
                      struct sk_buff **pskb,
                      const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
  return NF_ACCEPT;
}

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_forward(unsigned int hook,
                                    struct sk_buff *skb,
                                    const struct net_device *in,
                                    const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_forward(unsigned int hook,
                                    struct sk_buff **pskb,
                                    const struct net_device *in,
                                    const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
  return NF_ACCEPT;
}

static unsigned int
demo_nf_forward_ipv6(unsigned int hook,
                     struct sk_buff **pskb,
                     const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
  return NF_ACCEPT;
}

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_local_out(unsigned int hook,
                                      struct sk_buff *skb,
                                      const struct net_device *in,
                                      const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_local_out(unsigned int hook,
                                      struct sk_buff **pskb,
                                      const struct net_device *in,
                                      const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
  return NF_ACCEPT;
}

static unsigned int
demo_nf_local_out_ipv6(unsigned int hook,
                       struct sk_buff **pskb,
                       const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
  return NF_ACCEPT;
}

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_post_routing(unsigned int hook,
                                         struct sk_buff *skb,
                                         const struct net_device *in,
                                         const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_post_routing(unsigned int hook,
                                         struct sk_buff **pskb,
                                         const struct net_device *in,
                                         const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
  return NF_ACCEPT;
}

static unsigned int
demo_nf_post_routing_ipv6(unsigned int hook,
                          struct sk_buff **pskb,
                          const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
  return NF_ACCEPT;
}

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static struct nf_hook_ops demo_nf_ops[] = {
  {.hook = demo_nf_pre_routing,
   .owner = THIS_MODULE,
   .pf = PF_INET,
   .hooknum = NF_INET_PRE_ROUTING,
   .priority = NF_IP_PRI_FILTER,},
  {.hook = demo_nf_pre_routing_ipv6,
   .owner = THIS_MODULE,
   .pf = PF_INET6,
   .hooknum = NF_INET_PRE_ROUTING,
   .priority = NF_IP6_PRI_FILTER,},
  {.hook = demo_nf_local_in,
   .owner = THIS_MODULE,
   .pf = PF_INET,
   .hooknum = NF_INET_LOCAL_IN,
   .priority = NF_IP_PRI_FILTER,},
  {.hook = demo_nf_local_in_ipv6,
   .owner = THIS_MODULE,
   .pf = PF_INET6,
   .hooknum = NF_INET_LOCAL_IN,
   .priority = NF_IP6_PRI_FILTER,},
  {.hook = demo_nf_forward,
   .owner = THIS_MODULE,
   .pf = PF_INET,
   .hooknum = NF_INET_FORWARD,
   .priority = NF_IP_PRI_FILTER,},
  {.hook = demo_nf_forward_ipv6,
   .owner = THIS_MODULE,
   .pf = PF_INET6,
   .hooknum = NF_INET_FORWARD,
   .priority = NF_IP6_PRI_FILTER,},
  {.hook = demo_nf_local_out,
   .owner = THIS_MODULE,
   .pf = PF_INET,
   .hooknum = NF_INET_LOCAL_OUT,
   .priority = NF_IP_PRI_FILTER,},
  {.hook = demo_nf_local_out_ipv6,
   .owner = THIS_MODULE,
   .pf = PF_INET6,
   .hooknum = NF_INET_LOCAL_OUT,
   .priority = NF_IP6_PRI_FILTER,},
  {.hook = demo_nf_post_routing,
   .owner = THIS_MODULE,
   .pf = PF_INET,
   .hooknum = NF_INET_POST_ROUTING,
   .priority = NF_IP_PRI_FILTER,},
  {.hook = demo_nf_post_routing_ipv6,
   .owner = THIS_MODULE,
   .pf = PF_INET6,
   .hooknum = NF_INET_POST_ROUTING,
   .priority = NF_IP6_PRI_FILTER,},
};
#else
static struct nf_hook_ops demo_nf_ops[] = {
  {.hook = demo_nf_pre_routing,
   .owner = THIS_MODULE,
   .pf = PF_INET,
   .hooknum = NF_IP_PRE_ROUTING,
   .priority = NF_IP_PRI_FILTER,},
  {.hook = demo_nf_pre_routing_ipv6,
   .owner = THIS_MODULE,
   .pf = PF_INET6,
   .hooknum = NF_IP6_PRE_ROUTING,
   .priority = NF_IP6_PRI_FILTER,},
  {.hook = demo_nf_local_in,
   .owner = THIS_MODULE,
   .pf = PF_INET,
   .hooknum = NF_IP_LOCAL_IN,
   .priority = NF_IP_PRI_FILTER,},
  {.hook = demo_nf_local_in_ipv6,
   .owner = THIS_MODULE,
   .pf = PF_INET6,
   .hooknum = NF_IP6_LOCAL_IN,
   .priority = NF_IP6_PRI_FILTER,},
  {.hook = demo_nf_forward,
   .owner = THIS_MODULE,
   .pf = PF_INET,
   .hooknum = NF_IP_FORWARD,
   .priority = NF_IP_PRI_FILTER,},
  {.hook = demo_nf_forward_ipv6,
   .owner = THIS_MODULE,
   .pf = PF_INET6,
   .hooknum = NF_IP6_FORWARD,
   .priority = NF_IP6_PRI_FILTER,},
  {.hook = demo_nf_local_out,
   .owner = THIS_MODULE,
   .pf = PF_INET,
   .hooknum = NF_IP_LOCAL_OUT,
   .priority = NF_IP_PRI_FILTER,},
  {.hook = demo_nf_local_out_ipv6,
   .owner = THIS_MODULE,
   .pf = PF_INET6,
   .hooknum = NF_IP6_LOCAL_OUT,
   .priority = NF_IP6_PRI_FILTER,},
  {.hook = demo_nf_post_routing,
   .owner = THIS_MODULE,
   .pf = PF_INET,
   .hooknum = NF_IP_POST_ROUTING,
   .priority = NF_IP_PRI_FILTER,},
  {.hook = demo_nf_post_routing_ipv6,
   .owner = THIS_MODULE,
   .pf = PF_INET6,
   .hooknum = NF_IP6_POST_ROUTING,
   .priority = NF_IP6_PRI_FILTER,},
};
#endif

//call this func in module_init func
int demo_filter_init(void)
{
  int i, ret;

  for (i = 0; i < ARRAY_SIZE(demo_nf_ops); i++) {
    if ((ret = nf_register_hook(&demo_nf_ops[i])) >= 0)
      continue;

    while (i--)
      nf_unregister_hook(&demo_nf_ops[i]);

    return ret;
  }

  DBGINFO("Demo netfilter driver initialized\n");

  return 0;
}

//call this func in module_exit func
void demo_filter_uninit(void)
{
  int i;

  for (i = ARRAY_SIZE(demo_nf_ops) - 1; i >= 0; i--)
    nf_unregister_hook(&demo_nf_ops[i]);

  DBGINFO("Demo netfilter driver uninitialized\n");
}

 

博客同步发布于CSDN: http://blog.csdn.net/kevin1078/article/details/7481979

评论

我的评论:

发表评论

请 登录 后发表评论。还没有在Zeuux哲思注册吗?现在 注册 !

暂时没有评论
反馈意见 帮助中心 服务条款 版权声明 关于哲思

Zeuux © 2024

京ICP备05028076号