基于netfilter机制的IP数据包过滤驱动模版
来源:互联网 发布:器械健身计划软件 编辑:程序博客网 时间:2024/06/06 05:23
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/ip.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/if_arp.h>
#include <linux/if_ether.h>
#include <linux/if_vlan.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/netfilter_arp.h>
#include <linux/in_route.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include <net/route.h>
#include <asm/uaccess.h>
#include <asm/checksum.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_pre_routing(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_pre_routing(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
return NF_ACCEPT;
}
static unsigned int
demo_nf_pre_routing_ipv6(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
return NF_ACCEPT;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_local_in(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_local_in(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
DBGDBG("entered, packet len: %d\n", skb->len + skb->mac_len);
DBGHEX(skb->mac_header, skb->mac_len + skb->len);
return NF_ACCEPT;
}
static unsigned int
demo_nf_local_in_ipv6(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
return NF_ACCEPT;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_forward(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_forward(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
return NF_ACCEPT;
}
static unsigned int
demo_nf_forward_ipv6(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
return NF_ACCEPT;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_local_out(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_local_out(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
return NF_ACCEPT;
}
static unsigned int
demo_nf_local_out_ipv6(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
return NF_ACCEPT;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_post_routing(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_post_routing(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
return NF_ACCEPT;
}
static unsigned int
demo_nf_post_routing_ipv6(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
return NF_ACCEPT;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static struct nf_hook_ops demo_nf_ops[] = {
{.hook = demo_nf_pre_routing,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_pre_routing_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_local_in,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_local_in_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_forward,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_forward_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_local_out,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_local_out_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_post_routing,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_post_routing_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP6_PRI_FILTER,},
};
#else
static struct nf_hook_ops demo_nf_ops[] = {
{.hook = demo_nf_pre_routing,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_pre_routing_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_IP6_PRE_ROUTING,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_local_in,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_local_in_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_IP6_LOCAL_IN,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_forward,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_FORWARD,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_forward_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_IP6_FORWARD,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_local_out,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_OUT,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_local_out_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_IP6_LOCAL_OUT,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_post_routing,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_POST_ROUTING,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_post_routing_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_IP6_POST_ROUTING,
.priority = NF_IP6_PRI_FILTER,},
};
#endif
//call this func in module_init func
int demo_filter_init(void)
{
int i, ret;
for (i = 0; i < ARRAY_SIZE(demo_nf_ops); i++) {
if ((ret = nf_register_hook(&demo_nf_ops[i])) >= 0)
continue;
while (i--)
nf_unregister_hook(&demo_nf_ops[i]);
return ret;
}
DBGINFO("Demo netfilter driver initialized\n");
return 0;
}
//call this func in module_exit func
void demo_filter_uninit(void)
{
int i;
for (i = ARRAY_SIZE(demo_nf_ops) - 1; i >= 0; i--)
nf_unregister_hook(&demo_nf_ops[i]);
DBGINFO("Demo netfilter driver uninitialized\n");
}
#include <linux/kernel.h>
#include <linux/ip.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/if_arp.h>
#include <linux/if_ether.h>
#include <linux/if_vlan.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/netfilter_arp.h>
#include <linux/in_route.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include <net/route.h>
#include <asm/uaccess.h>
#include <asm/checksum.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_pre_routing(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_pre_routing(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
return NF_ACCEPT;
}
static unsigned int
demo_nf_pre_routing_ipv6(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
return NF_ACCEPT;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_local_in(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_local_in(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
DBGDBG("entered, packet len: %d\n", skb->len + skb->mac_len);
DBGHEX(skb->mac_header, skb->mac_len + skb->len);
return NF_ACCEPT;
}
static unsigned int
demo_nf_local_in_ipv6(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
return NF_ACCEPT;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_forward(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_forward(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
return NF_ACCEPT;
}
static unsigned int
demo_nf_forward_ipv6(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
return NF_ACCEPT;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_local_out(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_local_out(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
return NF_ACCEPT;
}
static unsigned int
demo_nf_local_out_ipv6(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
return NF_ACCEPT;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static unsigned int demo_nf_post_routing(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#else
static unsigned int demo_nf_post_routing(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out, int (*okfn) (struct sk_buff *))
#endif
{
return NF_ACCEPT;
}
static unsigned int
demo_nf_post_routing_ipv6(unsigned int hook,
struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *))
{
return NF_ACCEPT;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
static struct nf_hook_ops demo_nf_ops[] = {
{.hook = demo_nf_pre_routing,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_pre_routing_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_local_in,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_local_in_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_forward,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_forward_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_local_out,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_local_out_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_post_routing,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_post_routing_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP6_PRI_FILTER,},
};
#else
static struct nf_hook_ops demo_nf_ops[] = {
{.hook = demo_nf_pre_routing,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_pre_routing_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_IP6_PRE_ROUTING,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_local_in,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_local_in_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_IP6_LOCAL_IN,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_forward,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_FORWARD,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_forward_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_IP6_FORWARD,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_local_out,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_OUT,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_local_out_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_IP6_LOCAL_OUT,
.priority = NF_IP6_PRI_FILTER,},
{.hook = demo_nf_post_routing,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_POST_ROUTING,
.priority = NF_IP_PRI_FILTER,},
{.hook = demo_nf_post_routing_ipv6,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_IP6_POST_ROUTING,
.priority = NF_IP6_PRI_FILTER,},
};
#endif
//call this func in module_init func
int demo_filter_init(void)
{
int i, ret;
for (i = 0; i < ARRAY_SIZE(demo_nf_ops); i++) {
if ((ret = nf_register_hook(&demo_nf_ops[i])) >= 0)
continue;
while (i--)
nf_unregister_hook(&demo_nf_ops[i]);
return ret;
}
DBGINFO("Demo netfilter driver initialized\n");
return 0;
}
//call this func in module_exit func
void demo_filter_uninit(void)
{
int i;
for (i = ARRAY_SIZE(demo_nf_ops) - 1; i >= 0; i--)
nf_unregister_hook(&demo_nf_ops[i]);
DBGINFO("Demo netfilter driver uninitialized\n");
}
- 基于netfilter机制的IP数据包过滤驱动模版
- 基于OSI七层过滤数据包的NetFilter防火墙设置
- 【Linux 驱动】Netfilter/iptables (五) 数据包过滤
- netfilter源码分析(5)- ipt_do_table()函数,数据包的过滤
- netfilter源码分析(5)- ipt_do_table()函数,数据包的过滤
- 【Linux 驱动】Netfilter/iptables (八) Netfilter的NAT机制
- LVS基于linux内核的netfilter机制
- netfilter按IP过滤报文
- 利用netfilter的hook来实现数据包的过滤(For Kernel2.4)
- tcpdump过滤特定IP的数据包,结果不对?
- 通过windows中间层过滤驱动修改接收数据包的内容
- 搞拓展性、灵活性的数据包过滤机制
- 基于Filter-Hook Driver(使用ipfirewall.h)的IP过滤驱动
- 基于Windows系统下网络数据包过滤方法的分析
- 数据包在内核态的捕获、修改和转发(基于netfilter)
- Netfilter的Mangle机制
- 基于键盘过滤驱动的键盘助手
- 【Linux 驱动】Netfilter/iptables (四) 窥探 Netfilter Hook 机制
- 解决JSP中文乱码问题
- Web服务器控件
- 学习笔记
- 常见动态规划(DP)
- 发布一个收藏的XML处理类
- 基于netfilter机制的IP数据包过滤驱动模版
- How to Configure Eclipse for Python
- 文件的格式与文件扩展名指定的格式不一致的解决办法
- VMWare8.0安装 Linux Ubuntu10.04LTS
- eclipse 消除特殊符号
- python 反射
- ARP协议
- IE快捷键
- Linaro android media create BUG