Netfilter hook registration with networking sub system

3
votes

While exploring netfilter functionality I tried to write a simple netfilter module and registered a hook as follows:

    dhcp_nfho.owner             = THIS_MODULE;
    dhcp_nfho.hook              = dhcp_hook_function;
    dhcp_nfho.hooknum           = NF_INET_POST_ROUTING;
    dhcp_nfho.priority          = NF_IP_PRI_FIRST;
    dhcp_nfho.pf            = PF_INET; // not on bridge interface
    nf_register_hook(&dhcp_nfho);

I looked into the code of nf_register_hook in the LXR page: (3.13 version)

int nf_register_hook(struct nf_hook_ops *reg)
 69 {
 70         struct nf_hook_ops *elem;
 71         int err;
 72 
 73         err = mutex_lock_interruptible(&nf_hook_mutex);
 74         if (err < 0)
 75                 return err;
 76         list_for_each_entry(elem, &nf_hooks[reg->pf][reg->hooknum], list) {
 77                 if (reg->priority < elem->priority)
 78                         break;
 79         }
 80         list_add_rcu(&reg->list, elem->list.prev);
 81         mutex_unlock(&nf_hook_mutex);
 82 #if defined(CONFIG_JUMP_LABEL)
 83         static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
 84 #endif
 85         return 0;
 86 }

What is this 2D linked list nf_hooks[PF][hooknum]. It looks like for each protocol family there is a list of PRE/INPUT/FORWARD/OUTPUT/POST hooks?

How is this 2D array used by the netfilter sub system ?

And is the netfilter subsystem code interacting with the network driver code? (since the hooks are processed in Soft-irq and the network driver also uses soft-irq's to process the packets)?

Where can I find the code that invokes the Netfilter Hooks once a packet is recvd by the driver?

1
linuxlinux-kernelnetwork-programmingkernel-modulenetfilter

1 Answers

3
votes

You are correct. For each protocol family, there is indeed a list of hooks, which are actually set by the PF itself (eg. NFPROTO_BRIDGE has a BROUTE hooklist, but neither IPv4 or IPv6 does).

When a packet comes in to a logical network interface (ethernet bridge, ethernet interface, etc), it will get passed around the stack. If it is an IPv4 packet, it eventually ip_rcv() will get called. This will call the NF_INET_PRE_ROUTING hooks before continuing on to the packet routing proper. Similarly, ip_output calls the NF_INET_POST_ROUTING hooks before actually sending the packet on its way.

Putting the Netfilter hooks into the main networking code allows the network interface drivers themselves to be blissfully ignorant of the whole process.

To get a better idea of how this all flows, check out http://lxr.free-electrons.com/source/net/ipv4/ip_input.c and http://lxr.free-electrons.com/source/net/ipv4/ip_output.c. You'll see the NF_HOOK and NF_HOOK_COND macros being called when packets transition to different layers, etc.