bridge-nf-call-iptables
来源:互联网 发布:yyf的淘宝店是哪个 编辑:程序博客网 时间:2024/06/10 13:26
static int __init br_init(void)
{
...
/* 网桥HOOK点注册 */
err = br_netfilter_init();
if (err)
goto err_out1;
...
/* 网桥处理接口 */
br_handle_frame_hook = br_handle_frame;
...
}
int __init br_netfilter_init(void)
{
int ret;
ret = nf_register_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
...
return 0;
}
static struct nf_hook_ops br_nf_ops[] __read_mostly = {
{ .hook = br_nf_pre_routing,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.hooknum = NF_BR_PRE_ROUTING,
.priority = NF_BR_PRI_BRNF, },
{ .hook = br_nf_local_in,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.hooknum = NF_BR_LOCAL_IN,
.priority = NF_BR_PRI_BRNF, },
{ .hook = br_nf_forward_ip,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.hooknum = NF_BR_FORWARD,
.priority = NF_BR_PRI_BRNF - 1, },
{ .hook = br_nf_forward_arp,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.hooknum = NF_BR_FORWARD,
.priority = NF_BR_PRI_BRNF, },
{ .hook = br_nf_local_out,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.hooknum = NF_BR_LOCAL_OUT,
.priority = NF_BR_PRI_FIRST, },
{ .hook = br_nf_post_routing,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.hooknum = NF_BR_POST_ROUTING,
.priority = NF_BR_PRI_LAST, },
{ .hook = ip_sabotage_in,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_FIRST, },
{ .hook = ip_sabotage_in,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_FIRST, },
};
http://blog.csdn.net/matt_mao/article/details/18702455
可以通过以下proc查看kernel是否开启了bridge-nf-call-iptables:
# cat /proc/sys/net/bridge/bridge-nf-call-iptables
1
这个proc是定义在以下位置:
net/bridge/br_netfilter.c
985 static ctl_table brnf_table[] = {...
993 {
994 .procname = "bridge-nf-call-iptables",
995 .data = &brnf_call_iptables,
996 .maxlen = sizeof(int),
997 .mode = 0644,
998 .proc_handler = brnf_sysctl_call_tables,
999 },
在桥的NF_BR_PRE_ROUTING处理函数中,会根据brnf_call_iptables的值判断是否需要去过一下iptables的NF_INET_PRE_ROUTING的hock点
net/bridge/br_netfilter.c
552 static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
553 const struct net_device *in,
554 const struct net_device *out,
555 int (*okfn)(struct sk_buff *))
556 {
...
572 #ifdef CONFIG_SYSCTL
// 在桥的处理中是否需要call iptables
573 if (!brnf_call_iptables)
574 return NF_ACCEPT;
575 #endif
576
// ip头的基本检查和ip_rcv做的动作类似
577 if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) &&
578 !IS_PPPOE_IP(skb))
579 return NF_ACCEPT;
580
581 nf_bridge_pull_encap_header_rcsum(skb);
582
583 if (!pskb_may_pull(skb, sizeof(struct iphdr)))
584 goto inhdr_error;
585
586 iph = ip_hdr(skb);
587 if (iph->ihl < 5 || iph->version != 4)
588 goto inhdr_error;
589
590 if (!pskb_may_pull(skb, 4 * iph->ihl))
591 goto inhdr_error;
592
593 iph = ip_hdr(skb);
594 if (ip_fast_csum((__u8 *) iph, iph->ihl) != 0)
595 goto inhdr_error;
596
597 len = ntohs(iph->tot_len);
598 if (skb->len < len || len < 4 * iph->ihl)
599 goto inhdr_error;
600
601 pskb_trim_rcsum(skb, len);
602
603 /* BUG: Should really parse the IP options here. */
604 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
605
606 nf_bridge_put(skb->nf_bridge);
607 if (!nf_bridge_alloc(skb))
608 return NF_DROP;
609 if (!setup_pre_routing(skb))
610 return NF_DROP;
611 store_orig_dstaddr(skb);
612
// 进入iptables的NF_INET_PRE_ROUTING
613 NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
614 br_nf_pre_routing_finish);
615
616 return NF_STOLEN;
617
618 inhdr_error:
619 // IP_INC_STATS_BH(IpInHdrErrors);
620 out:
621 return NF_DROP;
622 }
- bridge-nf-call-iptables
- net.bridge.bridge-nf-call-iptables=1
- 关于bridge-nf-call-iptables的设计问题
- Kernel Source片段 -- bridge-nf-call-iptables的处理
- 关于bridge-nf-call-iptables的设计问题
- net.bridge.bridge-nf-call-iptables对Netfilter中数据包的影响
- iptables & physdev-is-in & physdev-is-out -- net.bridge.bridge-nf-call-iptables对Netfilter中数据包的影响
- docker安装完成后碰到如下警告:bridge-nf-call-iptables is disabled
- Docker容器启动报WARNING: IPv4 forwarding is disabled.bridge-nf-call-iptables is disabled
- docker1.8.2 在centos7 中docker info报错docker bridge-nf-call-iptables is disabled解决办法
- bridge-nf
- linux sysctl -p 报error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
- linux sysctl -p 报error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
- linux sysctl -p 报error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
- linux sysctl -p 报error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
- sysctl -p net.bridge.bridge-nf-call-ip6tables" is an unknown key 问题的解决。。
- error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
- error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
- [shell]shell-for语句总结
- Android 跨应用程序访问窗口知识点总结
- Objective-C的动态特性
- 怎么使float保留精确小数
- spring和hibernate整合、spring和jdbc整合 配置文件
- bridge-nf-call-iptables
- 一段PHP版本的lambda实现
- ArrayList、Iterator的remove方法
- [博弈dp] hdu 4778 Gems Fight!
- Eclipse轻松玩转SmartFramework
- 基于Linux的 线程的简单应用
- 为什么要用非关系型数据库
- disconnected no supported authentication methods available(server sent: publickey,keyboard interae)
- JAVA程序实现 maven本地jar包安装
