概述
通过钩子点和优先级的代码追溯,得到如下对应关系图,图中横坐标为钩子点,纵坐标为优先级,每个钩子点上的钩子函数按照优先级排布;
详细分析
5个钩子点如下所示,在这个五个钩子点上的钩子函数按照上面的优先级从小到大排列;
1 /* IP Hooks */ 2 /* After promisc drops, checksum checks. */ 3 #define NF_IP_PRE_ROUTING 0 4 /* If the packet is destined for this box. */ 5 #define NF_IP_LOCAL_IN 1 6 /* If the packet is destined for another interface. */ 7 #define NF_IP_FORWARD 2 8 /* Packets coming from a local process. */ 9 #define NF_IP_LOCAL_OUT 3 10 /* Packets about to hit the wire. */ 11 #define NF_IP_POST_ROUTING 4 12 #define NF_IP_NUMHOOKS 5
钩子函数的优先级,范围为INT_MINT~INT_MAX,从枚举的名称可以粗略的看出各个表的钩子函数工作的优先级关系;
1 enum nf_ip_hook_priorities { 2 NF_IP_PRI_FIRST = INT_MIN, 3 NF_IP_PRI_CONNTRACK_DEFRAG = -400, 4 NF_IP_PRI_RAW = -300, 5 NF_IP_PRI_SELINUX_FIRST = -225, 6 NF_IP_PRI_CONNTRACK = -200, 7 NF_IP_PRI_MANGLE = -150, 8 NF_IP_PRI_NAT_DST = -100, 9 NF_IP_PRI_FILTER = 0, 10 NF_IP_PRI_SECURITY = 50, 11 NF_IP_PRI_NAT_SRC = 100, 12 NF_IP_PRI_SELINUX_LAST = 225, 13 NF_IP_PRI_CONNTRACK_HELPER = 300, 14 NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, 15 NF_IP_PRI_LAST = INT_MAX, 16 };
通过搜索关心的优先级,可以查看对应的钩子函数,如下NF_IP_PRI_CONNTRACK_DEFRAG对应的钩子函数;可见,所在的钩子点为PRE_ROUTING和LOCAL_OUT,钩子函数均为ipv4_conntrack_defrag;使用这种方式一次查看每个优先级,得到本文开头的关系图;
1 static struct nf_hook_ops ipv4_defrag_ops[] = { 2 { 3 .hook = ipv4_conntrack_defrag, 4 .pf = NFPROTO_IPV4, 5 .hooknum = NF_INET_PRE_ROUTING, 6 .priority = NF_IP_PRI_CONNTRACK_DEFRAG, 7 }, 8 { 9 .hook = ipv4_conntrack_defrag, 10 .pf = NFPROTO_IPV4, 11 .hooknum = NF_INET_LOCAL_OUT, 12 .priority = NF_IP_PRI_CONNTRACK_DEFRAG, 13 }, 14 };