Netfilter 之 连接跟踪初始化

基础参数初始化

nf_conntrack_init_start函数完成连接跟踪基础参数的初始化，包括了hash，slab，扩展项，GC任务等；

int nf_conntrack_init_start(void)
{
    int max_factor = 8;
    int ret = -ENOMEM;
    int i;

    /* struct nf_ct_ext uses u8 to store offsets/size */
    BUILD_BUG_ON(total_extension_size() > 255u);

    seqcount_init(&nf_conntrack_generation);

    for (i = 0; i < CONNTRACK_LOCKS; i++)
        spin_lock_init(&nf_conntrack_locks[i]);

    /* 根据内存大小，初始化htable_size */
    if (!nf_conntrack_htable_size) {
        /* Idea from tcp.c: use 1/16384 of memory.
         * On i386: 32MB machine has 512 buckets.
         * >= 1GB machines have 16384 buckets.
         * >= 4GB machines have 65536 buckets.
         */
        nf_conntrack_htable_size
            = (((totalram_pages << PAGE_SHIFT) / 16384)
               / sizeof(struct hlist_head));
        if (totalram_pages > (4 * (1024 * 1024 * 1024 / PAGE_SIZE)))
            nf_conntrack_htable_size = 65536;
        else if (totalram_pages > (1024 * 1024 * 1024 / PAGE_SIZE))
            nf_conntrack_htable_size = 16384;
        if (nf_conntrack_htable_size < 32)
            nf_conntrack_htable_size = 32;

        /* Use a max. factor of four by default to get the same max as
         * with the old struct list_heads. When a table size is given
         * we use the old value of 8 to avoid reducing the max.
         * entries. */
        max_factor = 4;
    }

    /* 分配hash */
    nf_conntrack_hash = nf_ct_alloc_hashtable(&nf_conntrack_htable_size, 1);
    if (!nf_conntrack_hash)
        return -ENOMEM;

    /* 设置连接跟踪项的最大值 */
    nf_conntrack_max = max_factor * nf_conntrack_htable_size;

    /* 创建nf_conn连接跟踪slab */
    nf_conntrack_cachep = kmem_cache_create("nf_conntrack",
                        sizeof(struct nf_conn),
                        NFCT_INFOMASK + 1,
                        SLAB_TYPESAFE_BY_RCU | SLAB_HWCACHE_ALIGN, NULL);
    if (!nf_conntrack_cachep)
        goto err_cachep;

    printk(KERN_INFO "nf_conntrack version %s (%u buckets, %d max)
",
           NF_CONNTRACK_VERSION, nf_conntrack_htable_size,
           nf_conntrack_max);

    /* 各个扩展项的初始化 */
    ret = nf_conntrack_expect_init();
    if (ret < 0)
        goto err_expect;

    ret = nf_conntrack_acct_init();
    if (ret < 0)
        goto err_acct;

    ret = nf_conntrack_tstamp_init();
    if (ret < 0)
        goto err_tstamp;

    ret = nf_conntrack_ecache_init();
    if (ret < 0)
        goto err_ecache;

    ret = nf_conntrack_timeout_init();
    if (ret < 0)
        goto err_timeout;

    ret = nf_conntrack_helper_init();
    if (ret < 0)
        goto err_helper;

    ret = nf_conntrack_labels_init();
    if (ret < 0)
        goto err_labels;

    ret = nf_conntrack_seqadj_init();
    if (ret < 0)
        goto err_seqadj;

    /* 初始化nf_ct_l3protos[]初始化为nf_conntrack_l3proto_generic */
    ret = nf_conntrack_proto_init();
    if (ret < 0)
        goto err_proto;

    /* 初始化连接跟踪gc任务 */
    conntrack_gc_work_init(&conntrack_gc_work);
    queue_delayed_work(system_long_wq, &conntrack_gc_work.dwork, HZ);

    return 0;

err_proto:
    nf_conntrack_seqadj_fini();
err_seqadj:
    nf_conntrack_labels_fini();
err_labels:
    nf_conntrack_helper_fini();
err_helper:
    nf_conntrack_timeout_fini();
err_timeout:
    nf_conntrack_ecache_fini();
err_ecache:
    nf_conntrack_tstamp_fini();
err_tstamp:
    nf_conntrack_acct_fini();
err_acct:
    nf_conntrack_expect_fini();
err_expect:
    kmem_cache_destroy(nf_conntrack_cachep);
err_cachep:
    nf_ct_free_hashtable(nf_conntrack_hash, nf_conntrack_htable_size);
    return ret;
}

协议与tuple操作初始化

nf_conntrack_l3proto_ipv4_init函数完成了协议和tuple操作函数相关的初始化；

static int __init nf_conntrack_l3proto_ipv4_init(void)
{
    int ret = 0;

    need_conntrack();

    ret = nf_register_sockopt(&so_getorigdst);
    if (ret < 0) {
        pr_err("Unable to register netfilter socket option
");
        return ret;
    }

    ret = register_pernet_subsys(&ipv4_net_ops);
    if (ret < 0) {
        pr_err("nf_conntrack_ipv4: can't register pernet ops
");
        goto cleanup_sockopt;
    }

    /* nf_conntrack_l4proto相关初始化 */
    ret = nf_ct_l4proto_register(builtin_l4proto4,
                     ARRAY_SIZE(builtin_l4proto4));
    if (ret < 0)
        goto cleanup_pernet;

    /* nf_conntrack_l3proto相关初始化 */
    ret = nf_ct_l3proto_register(&nf_conntrack_l3proto_ipv4);
    if (ret < 0) {
        pr_err("nf_conntrack_ipv4: can't register ipv4 proto.
");
        goto cleanup_l4proto;
    }

    return ret;
cleanup_l4proto:
    nf_ct_l4proto_unregister(builtin_l4proto4,
                 ARRAY_SIZE(builtin_l4proto4));
 cleanup_pernet:
    unregister_pernet_subsys(&ipv4_net_ops);
 cleanup_sockopt:
    nf_unregister_sockopt(&so_getorigdst);
    return ret;
}

nf_conntrack_l3proto_ipv4

nf_conntrack_l3proto_ipv4 结构成员初始化包括了基础信息，tuple的相关操作，钩子函数的注册，注销等，每个函数的作用如下；

struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
    .l3proto     = PF_INET,
    .name         = "ipv4",
    .pkt_to_tuple     = ipv4_pkt_to_tuple,
    .invert_tuple     = ipv4_invert_tuple,
    .print_tuple     = ipv4_print_tuple,
    .get_l4proto     = ipv4_get_l4proto,
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
    .tuple_to_nlattr = ipv4_tuple_to_nlattr,
    .nlattr_tuple_size = ipv4_nlattr_tuple_size,
    .nlattr_to_tuple = ipv4_nlattr_to_tuple,
    .nla_policy     = ipv4_nla_policy,
#endif
    .net_ns_get     = ipv4_hooks_register,
    .net_ns_put     = ipv4_hooks_unregister,
    .me         = THIS_MODULE,
};

tuple相关操作

/* 从ip头中获取源目的地址，存入tuple */
static bool ipv4_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
                  struct nf_conntrack_tuple *tuple)
{
    const __be32 *ap;
    __be32 _addrs[2];
    ap = skb_header_pointer(skb, nhoff + offsetof(struct iphdr, saddr),
                sizeof(u_int32_t) * 2, _addrs);
    if (ap == NULL)
        return false;

    tuple->src.u3.ip = ap[0];
    tuple->dst.u3.ip = ap[1];

    return true;
}

/* 根据原tuple地址设置新tuple，源目的地址均相反 */
static bool ipv4_invert_tuple(struct nf_conntrack_tuple *tuple,
                  const struct nf_conntrack_tuple *orig)
{
    tuple->src.u3.ip = orig->dst.u3.ip;
    tuple->dst.u3.ip = orig->src.u3.ip;

    return true;
}

/* 打印tuple的源目的地址 */
static void ipv4_print_tuple(struct seq_file *s,
                const struct nf_conntrack_tuple *tuple)
{
    seq_printf(s, "src=%pI4 dst=%pI4 ",
           &tuple->src.u3.ip, &tuple->dst.u3.ip);
}

/* 获取ip头中的协议 */
static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
                unsigned int *dataoff, u_int8_t *protonum)
{
    const struct iphdr *iph;
    struct iphdr _iph;

    
    iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
    if (iph == NULL)
        return -NF_ACCEPT;

    /* Conntrack defragments packets, we might still see fragments
     * inside ICMP packets though. */
    if (iph->frag_off & htons(IP_OFFSET))
        return -NF_ACCEPT;

    *dataoff = nhoff + (iph->ihl << 2);
    *protonum = iph->protocol;

    /* Check bogus IP headers */
    if (*dataoff > skb->len) {
        pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: "
             "nhoff %u, ihl %u, skblen %u
",
             nhoff, iph->ihl << 2, skb->len);
        return -NF_ACCEPT;
    }

    return NF_ACCEPT;
}

netlink与tuple之间的操作

/* 填充tuple的源目的地址到netlink */
static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
                const struct nf_conntrack_tuple *tuple)
{
    if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||
        nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))
        goto nla_put_failure;
    return 0;

nla_put_failure:
    return -1;
}

static const struct nla_policy ipv4_nla_policy[CTA_IP_MAX+1] = {
    [CTA_IP_V4_SRC]    = { .type = NLA_U32 },
    [CTA_IP_V4_DST]    = { .type = NLA_U32 },
};

/* 将netlink中的源目的地址填充到tuple */
static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
                struct nf_conntrack_tuple *t)
{
    if (!tb[CTA_IP_V4_SRC] || !tb[CTA_IP_V4_DST])
        return -EINVAL;

    t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]);
    t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]);

    return 0;
}

/* 获取netlink中的tuple大小 */
static int ipv4_nlattr_tuple_size(void)
{
    return nla_policy_len(ipv4_nla_policy, CTA_IP_MAX + 1);
}

钩子函数的注册

ipv4_hooks_register钩子函数注册回调，其中分为两步，defrag钩子注册和其他钩子注册；

static int ipv4_hooks_register(struct net *net)
{
    struct conntrack4_net *cnet = net_generic(net, conntrack4_net_id);
    int err = 0;

    mutex_lock(&register_ipv4_hooks);

    cnet->users++;
    if (cnet->users > 1)
        goto out_unlock;

    /* defrag钩子函数注册 */
    err = nf_defrag_ipv4_enable(net);
    if (err) {
        cnet->users = 0;
        goto out_unlock;
    }

    /* 注册netfilter钩子函数 */
    err = nf_register_net_hooks(net, ipv4_conntrack_ops,
                    ARRAY_SIZE(ipv4_conntrack_ops));

    if (err)
        cnet->users = 0;
 out_unlock:
    mutex_unlock(&register_ipv4_hooks);
    return err;
}

nf_defrag_ipv4_enable为defrag钩子注册流程；

int nf_defrag_ipv4_enable(struct net *net)
{
    int err = 0;

    might_sleep();

    if (net->nf.defrag_ipv4)
        return 0;

    mutex_lock(&defrag4_mutex);
    if (net->nf.defrag_ipv4)
        goto out_unlock;

    err = nf_register_net_hooks(net, ipv4_defrag_ops,
                    ARRAY_SIZE(ipv4_defrag_ops));
    if (err == 0)
        net->nf.defrag_ipv4 = true;

 out_unlock:
    mutex_unlock(&defrag4_mutex);
    return err;
}

defrag钩子函数；

static struct nf_hook_ops ipv4_defrag_ops[] = {
    {
        .hook        = ipv4_conntrack_defrag,
        .pf        = NFPROTO_IPV4,
        .hooknum    = NF_INET_PRE_ROUTING,
        .priority    = NF_IP_PRI_CONNTRACK_DEFRAG,
    },
    {
        .hook           = ipv4_conntrack_defrag,
        .pf             = NFPROTO_IPV4,
        .hooknum        = NF_INET_LOCAL_OUT,
        .priority       = NF_IP_PRI_CONNTRACK_DEFRAG,
    },
};

conntrack_in，helper，confirm钩子函数；

static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = {
    {
        .hook        = ipv4_conntrack_in,
        .pf        = NFPROTO_IPV4,
        .hooknum    = NF_INET_PRE_ROUTING,
        .priority    = NF_IP_PRI_CONNTRACK,
    },
    {
        .hook        = ipv4_conntrack_local,
        .pf        = NFPROTO_IPV4,
        .hooknum    = NF_INET_LOCAL_OUT,
        .priority    = NF_IP_PRI_CONNTRACK,
    },
    {
        .hook        = ipv4_helper,
        .pf        = NFPROTO_IPV4,
        .hooknum    = NF_INET_POST_ROUTING,
        .priority    = NF_IP_PRI_CONNTRACK_HELPER,
    },
    {
        .hook        = ipv4_confirm,
        .pf        = NFPROTO_IPV4,
        .hooknum    = NF_INET_POST_ROUTING,
        .priority    = NF_IP_PRI_CONNTRACK_CONFIRM,
    },
    {
        .hook        = ipv4_helper,
        .pf        = NFPROTO_IPV4,
        .hooknum    = NF_INET_LOCAL_IN,
        .priority    = NF_IP_PRI_CONNTRACK_HELPER,
    },
    {
        .hook        = ipv4_confirm,
        .pf        = NFPROTO_IPV4,
        .hooknum    = NF_INET_LOCAL_IN,
        .priority    = NF_IP_PRI_CONNTRACK_CONFIRM,
    },
};

nf_conntrack_l4proto_tcp4

多种协议会实现自己的nf_conntrack_l4proto，这里只列出tcp的实现，简要看下；

nf_conntrack_l4proto_tcp4结构中的函数与nf_conntrack_l3proto_ipv4 结构类似，其中多数函数是将源目的ip的操作换成了源目的端口的操作，此处不重复分析，另外增加了几个连接相关的操作函数packet，new等，遇到的时候在展开分析；

struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
{
    .l3proto        = PF_INET,
    .l4proto         = IPPROTO_TCP,
    .name             = "tcp",
    .pkt_to_tuple         = tcp_pkt_to_tuple,
    .invert_tuple         = tcp_invert_tuple,
    .print_tuple         = tcp_print_tuple,
    .print_conntrack     = tcp_print_conntrack,
    .packet         = tcp_packet,
    .get_timeouts        = tcp_get_timeouts,
    .new             = tcp_new,
    .error            = tcp_error,
    .can_early_drop        = tcp_can_early_drop,
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
    .to_nlattr        = tcp_to_nlattr,
    .nlattr_size        = tcp_nlattr_size,
    .from_nlattr        = nlattr_to_tcp,
    .tuple_to_nlattr    = nf_ct_port_tuple_to_nlattr,
    .nlattr_to_tuple    = nf_ct_port_nlattr_to_tuple,
    .nlattr_tuple_size    = tcp_nlattr_tuple_size,
    .nla_policy        = nf_ct_port_nla_policy,
#endif
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
    .ctnl_timeout        = {
        .nlattr_to_obj    = tcp_timeout_nlattr_to_obj,
        .obj_to_nlattr    = tcp_timeout_obj_to_nlattr,
        .nlattr_max    = CTA_TIMEOUT_TCP_MAX,
        .obj_size    = sizeof(unsigned int) *
                    TCP_CONNTRACK_TIMEOUT_MAX,
        .nla_policy    = tcp_timeout_nla_policy,
    },
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
    .init_net        = tcp_init_net,
    .get_net_proto        = tcp_get_net_proto,
};