Netfilter 之 iptable_filter

概述

本文主要对filter表的初始化流程，以及钩子函数的规则match流程的源码进行分析；

源码分析

所在钩子点：

/* 在LOCAL_IN，FORWARD, LOCAL_OUT钩子点工作 */
#define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) | 
                (1 << NF_INET_FORWARD) | 
                (1 << NF_INET_LOCAL_OUT))

filter表信息：

/* filter表的信息 */
static const struct xt_table packet_filter = {
    .name        = "filter",
    .valid_hooks    = FILTER_VALID_HOOKS,  /* filter工作的钩子点 */
    .me        = THIS_MODULE,
    .af        = NFPROTO_IPV4,
    .priority    = NF_IP_PRI_FILTER,
    .table_init    = iptable_filter_table_init,
};

初始化：

static int __net_init iptable_filter_table_init(struct net *net)
{
    struct ipt_replace *repl;
    int err;

    /* filter表已经被初始化了，返回 */
    if (net->ipv4.iptable_filter)
        return 0;

    /* 分配初始化表，用于下面的表注册 */
    repl = ipt_alloc_initial_table(&packet_filter);
    if (repl == NULL)
        return -ENOMEM;
    /* Entry 1 is the FORWARD hook */
    /* 入口1是否为FORWARD钩子点时的verdict值设置 */
    ((struct ipt_standard *)repl->entries)[1].target.verdict =
        forward ? -NF_ACCEPT - 1 : -NF_DROP - 1;

    /* 注册filter表，注册后，ipv4.iptable_filter保存了注册后的新表 */
    err = ipt_register_table(net, &packet_filter, repl, filter_ops,
                 &net->ipv4.iptable_filter);

    /* 释放初始化表 */
    kfree(repl);
    return err;
}

分配用于初始化的table结构，其中的xt_alloc_initial_table是以宏的形式存在的；

void *ipt_alloc_initial_table(const struct xt_table *info)
{
    return xt_alloc_initial_table(ipt, IPT);
}

为了看起来方便，这里对函数进行了宏替换；

void * ipt_alloc_initial_table(const struct xt_table *info) { 
    /* 钩子点掩码 */
    unsigned int hook_mask = info->valid_hooks; 
    /* 钩子点数量 */
    unsigned int nhooks = hweight32(hook_mask); 
    unsigned int bytes = 0, hooknum = 0, i = 0; 
    /* 此次构造的表结构 */
    struct { 
        struct ipt_replace repl; 
        struct ipt_standard entries[]; 
    } *tbl; 
    
    struct ipt_error *term;

    /* 算出entries的偏移 */
    size_t term_offset = (offsetof(iptof(*tbl), entries[nhooks]) + 
        __alignof__(*term) - 1) & ~(__alignof__(*term) - 1);
    /* 分配内存 */
    tbl = kzalloc(term_offset + sizeof(*term), GFP_KERNEL); 
    if (tbl == NULL) 
        return NULL; 
    /* 找到error部分 */
    term = (struct ipt_error *)&(((char *)tbl)[term_offset]); 
    /* 拷贝表名 */
    strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name));
    /* 初始化error */
    *term = (struct ipt_error)IPT_ERROR_INIT;
    /* 初始化钩子点，数量(包括error)，占用内存大小 */
    tbl->repl.valid_hooks = hook_mask; 
    tbl->repl.num_entries = nhooks + 1; 
    tbl->repl.size = nhooks * sizeof(struct ipt_standard) + 
             sizeof(struct ipt_error); 
    /* 对每个偏移进行初始化 */
    for (; hook_mask != 0; hook_mask >>= 1, ++hooknum) { 
        if (!(hook_mask & 1)) 
            continue; 
        tbl->repl.hook_entry[hooknum] = bytes; 
        tbl->repl.underflow[hooknum]  = bytes; 
        tbl->entries[i++] = (struct ipt_standard) 
            IPT_STANDARD_INIT(NF_ACCEPT); 
        bytes += sizeof(struct ipt_standard); 
    } 
    /* 返回表 */
    return tbl; 
}

ipt_register_table完成表注册流程，其中包括了分配table_info结构，并且与table->private进行关联，table中规则的合法性检查，以及调用nf_register_net_hooks进行钩子函数的注册；

/* 表注册 */
int ipt_register_table(struct net *net, const struct xt_table *table,
               const struct ipt_replace *repl,
               const struct nf_hook_ops *ops, struct xt_table **res)
{
    int ret;
    struct xt_table_info *newinfo;
    struct xt_table_info bootstrap = {0};
    void *loc_cpu_entry;
    struct xt_table *new_table;

    /* 分配table_info结构 */
    newinfo = xt_alloc_table_info(repl->size);
    if (!newinfo)
        return -ENOMEM;

    /* 拷贝entries到table_info */
    loc_cpu_entry = newinfo->entries;
    memcpy(loc_cpu_entry, repl->entries, repl->size);

    /* 合法性检查 */
    ret = translate_table(net, newinfo, loc_cpu_entry, repl);
    if (ret != 0)
        goto out_free;

    /* 建立新表，关联private到newinfo */
    new_table = xt_register_table(net, table, &bootstrap, newinfo);
    if (IS_ERR(new_table)) {
        ret = PTR_ERR(new_table);
        goto out_free;
    }

    /* set res now, will see skbs right after nf_register_net_hooks */
    /* 设置返回值指向新表 */
    WRITE_ONCE(*res, new_table);

    /* 注册钩子函数 */
    ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
    if (ret != 0) {
        __ipt_unregister_table(net, new_table);
        *res = NULL;
    }

    return ret;

out_free:
    xt_free_table_info(newinfo);
    return ret;
}

xt_register_table建立新表，将xt_table_info与表进行关联，并将表加入到net->xt.tables[table->af]链表；

struct xt_table *xt_register_table(struct net *net,
                   const struct xt_table *input_table,
                   struct xt_table_info *bootstrap,
                   struct xt_table_info *newinfo)
{
    int ret;
    struct xt_table_info *private;
    struct xt_table *t, *table;

    /* Don't add one object to multiple lists. */
    /* 建立新表 */
    table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
    if (!table) {
        ret = -ENOMEM;
        goto out;
    }

    mutex_lock(&xt[table->af].mutex);
    /* Don't autoload: we'd eat our tail... */
    /* 验证是否已经存在相同名字的表 */
    list_for_each_entry(t, &net->xt.tables[table->af], list) {
        if (strcmp(t->name, table->name) == 0) {
            ret = -EEXIST;
            goto unlock;
        }
    }

    /* Simplifies replace_table code. */
    table->private = bootstrap;

    /* 设置newinfo到table的privates */
    if (!xt_replace_table(table, 0, newinfo, &ret))
        goto unlock;

    private = table->private;
    pr_debug("table->private->number = %u
", private->number);

    /* save number of initial entries */
    private->initial_entries = private->number;

    /* 将表加入到xt.tables中 */
    list_add(&table->list, &net->xt.tables[table->af]);
    mutex_unlock(&xt[table->af].mutex);

    /* 返回新表 */
    return table;

unlock:
    mutex_unlock(&xt[table->af].mutex);
    kfree(table);
out:
    return ERR_PTR(ret);
}

钩子函数iptable_filter_hook，该函数主要调用ipt_do_table函数进行规则的匹配；

static unsigned int
iptable_filter_hook(void *priv, struct sk_buff *skb,
            const struct nf_hook_state *state)
{
    /* LOCAL_OUT && (数据长度不足ip头 || 实际ip头部长度不足最小ip头)，在使用raw socket */
    if (state->hook == NF_INET_LOCAL_OUT &&
        (skb->len < sizeof(struct iphdr) ||
         ip_hdrlen(skb) < sizeof(struct iphdr)))
        /* root is playing with raw sockets. */
        return NF_ACCEPT;

    /* 核心规则匹配流程 */
    return ipt_do_table(skb, state, state->net->ipv4.iptable_filter);
}

ipt_do_table是核心的规则匹配流程，其中包括了标准match，扩展match，标准target，扩展target的相关处理；

/* 遍历钩子链上的所有规则，进行标准匹配和扩展匹配，执行其target操作 */
unsigned int
ipt_do_table(struct sk_buff *skb,
         const struct nf_hook_state *state,
         struct xt_table *table)
{
    unsigned int hook = state->hook;
    static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
    const struct iphdr *ip;
    /* Initializing verdict to NF_DROP keeps gcc happy. */
    unsigned int verdict = NF_DROP;
    const char *indev, *outdev;
    const void *table_base;
    struct ipt_entry *e, **jumpstack;
    unsigned int stackidx, cpu;
    const struct xt_table_info *private;
    struct xt_action_param acpar;
    unsigned int addend;

    /* Initialization */
    stackidx = 0;
    ip = ip_hdr(skb);
    indev = state->in ? state->in->name : nulldevname;
    outdev = state->out ? state->out->name : nulldevname;
    /* We handle fragments by dealing with the first fragment as
     * if it was a normal packet.  All other fragments are treated
     * normally, except that they will NEVER match rules that ask
     * things we don't know, ie. tcp syn flag or ports).  If the
     * rule is also a fragment-specific rule, non-fragments won't
     * match it. */
    acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
    acpar.thoff   = ip_hdrlen(skb);
    acpar.hotdrop = false;
    acpar.state   = state;

    IP_NF_ASSERT(table->valid_hooks & (1 << hook));
    local_bh_disable();
    addend = xt_write_recseq_begin();
    private = table->private;
    cpu        = smp_processor_id();
    /*
     * Ensure we load private-> members after we've fetched the base
     * pointer.
     */
    smp_read_barrier_depends();
    /* 首个规则地址 */
    table_base = private->entries;
    jumpstack  = (struct ipt_entry **)private->jumpstack[cpu];

    /* Switch to alternate jumpstack if we're being invoked via TEE.
     * TEE issues XT_CONTINUE verdict on original skb so we must not
     * clobber the jumpstack.
     *
     * For recursion via REJECT or SYNPROXY the stack will be clobbered
     * but it is no problem since absolute verdict is issued by these.
     */
    if (static_key_false(&xt_tee_enabled))
        jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated);

    /* 获取对应链上的首个匹配规则 */
    e = get_entry(table_base, private->hook_entry[hook]);

    do {
        const struct xt_entry_target *t;
        const struct xt_entry_match *ematch;
        struct xt_counters *counter;

        IP_NF_ASSERT(e);
        /* 标准match */
        if (!ip_packet_match(ip, indev, outdev,
            &e->ip, acpar.fragoff)) {
 no_match:
             /* 未匹配成功，继续下一个规则 */
            e = ipt_next_entry(e);
            continue;
        }

        /* 扩展match */
        xt_ematch_foreach(ematch, e) {
            acpar.match     = ematch->u.kernel.match;
            acpar.matchinfo = ematch->data;
            /* 只要有返回不匹配的，则说明匹配当前规则失败 */
            if (!acpar.match->match(skb, &acpar))
                goto no_match;
        }

        counter = xt_get_this_cpu_counter(&e->counters);
        ADD_COUNTER(*counter, skb->len, 1);

        /* 标准match和扩展match都成功 */

        /* 获取target */
        t = ipt_get_target(e);
        IP_NF_ASSERT(t->u.kernel.target);

#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
        /* The packet is traced: log it */
        if (unlikely(skb->nf_trace))
            trace_packet(state->net, skb, hook, state->in,
                     state->out, table->name, private, e);
#endif
        /* Standard target? */
        /* 标准target */
        if (!t->u.kernel.target->target) {
            int v;

            v = ((struct xt_standard_target *)t)->verdict;
            /* 不会跳转到用户自定义规则 */
            if (v < 0) {
                /* Pop from stack? */
                /* 不是XT_RETURN，则跳出处理结果 */
                if (v != XT_RETURN) {
                    verdict = (unsigned int)(-v) - 1;
                    break;
                }

                /* XT_RETURN则继续匹配下一条规则 */
                if (stackidx == 0) {
                    e = get_entry(table_base,
                        private->underflow[hook]);
                } else {
                    e = jumpstack[--stackidx];
                    e = ipt_next_entry(e);
                }
                continue;
            }

            /* 记录跳转规则，以便返回时获取下一跳规则进行后续匹配 */
            if (table_base + v != ipt_next_entry(e) &&
                !(e->ip.flags & IPT_F_GOTO))
                jumpstack[stackidx++] = e;

            /* 获取自定义规则 */
            e = get_entry(table_base, v);
            continue;
        }

        /* 扩展target，执行target回调 */

        acpar.target   = t->u.kernel.target;
        acpar.targinfo = t->data;

        verdict = t->u.kernel.target->target(skb, &acpar);
        /* Target might have changed stuff. */
        ip = ip_hdr(skb);

        /* 需要继续匹配 */
        if (verdict == XT_CONTINUE)
            e = ipt_next_entry(e);
        /* 跳出处理匹配结果 */
        else
            /* Verdict */
            break;
    /* 无hotdrop，继续匹配 */
    } while (!acpar.hotdrop);

    xt_write_recseq_end(addend);
    local_bh_enable();

    /* drop标记 */
    if (acpar.hotdrop)
        return NF_DROP;
    /* 返回匹配结果 */
    else return verdict;
}