Can multiple kernel modules use the same netfilter hook without affecting each other?

1
votes

I'm developing a kernel module that will use netfilter hooks to mangle/filter packets in various ways, however in doing so I would like to avoid bypassing anything else using that hook (such as iptables), so that my module doesn't interfere with the regular operation of them. My research thus far hasn't yielded any information on how multiple services/modules accessing the same hook would interact.

Is this possible (perhaps it already happens automatically), and if so, can I set the order in which services/modules are triggered by the hook?

1
linux-kernelkernel-modulenetfilter
Can you show some code? I used ebtables one time long ago, but if I get a chance to look at the code, I may be able to figure something out. Ideally, you would need to post a complete kernel module that installs the hook (but the hook doesn't need to actually do anything).Shahbaz
Thanks for the suggestion Shahbaz. I haven't coded anything at this stage, but am trying to get an idea of whether this is possible, or whether I'll need to do something in userspace instead. I'll be sure post some code when I get some up and running if nothing else pops up in the mean time. Again, thanks for the help.Ian
I see. Does the netfilter support multiple hooks for a specific event or a single one? In the earlier case, there should logically be a way to install your hook "before" or "after" the other hooks or something like that. In the later case, there should logically be a way to get the old handler so you can call it yourself (something like this: old_handler = install_my_handler(my_handler); and later in my_handler you call old_handler either right at the beginning of right in the end. These are just speculations though, without seeing code I can't tell.Shahbaz

1 Answers

3
votes

As you know, the hooks are just places in the TCP/IP stack that you can insert some functions to do whatever with the skbs. Each function usually return one of the following (see include/uapi/linux/netfilter.h)

  • NF_DROP ----- This is the end of this skb. Drop this skb and do not pass it to rest of hooks (and of course higher layers).
  • NF_ACCEPT -- I am done with this skb, forward the skb to the next hook
  • NF_STOLEN -- I hijacked this skb (the module queued the skb for later processing)

IPtables uses these hooks to implement the required firewall rules. You can of course exist with IPtables (and any other hooks), but if for some reason your function is called before IPtables hooks and returns NF_DROP, the skb will not be forwarded to IPtables. On the other hand, if you always return NF_ACCEPT, then IPtables and other hooks in the system will not be affected at all.

As for the order of the hooks, the following priorities are used when the netfilter system traverses the hooks (from include/uapi/linux/netfilter_ipv4.h):

enum nf_ip_hook_priorities {
    NF_IP_PRI_FIRST = INT_MIN,
    NF_IP_PRI_CONNTRACK_DEFRAG = -400,
    NF_IP_PRI_RAW = -300,
    NF_IP_PRI_SELINUX_FIRST = -225,
    NF_IP_PRI_CONNTRACK = -200,
    NF_IP_PRI_MANGLE = -150,
    NF_IP_PRI_NAT_DST = -100, 
    NF_IP_PRI_FILTER = 0,
    NF_IP_PRI_SECURITY = 50,
    NF_IP_PRI_NAT_SRC = 100,
    NF_IP_PRI_SELINUX_LAST = 225,
    NF_IP_PRI_CONNTRACK_HELPER = 300,
    NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
    NF_IP_PRI_LAST = INT_MAX,};

This means that IPtables mangle table hooks will be executed before FILTER hooks. You can use any of these values or your own when you register with nf_register_hooks().