Netfilter 之 table、rule、match、target

概述

本文主要分析table，rule，match，target的作用和其数据结构之间的关系，为后面的匹配流程做铺垫，通过本文中代码流程的分析，可以得到如下的关系图：

详细分析

table

iptables分为五种：

filter:This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).

nat:This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).

mangle:This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

raw:This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

security:This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the box).

在net结构中的成员struct netns_xt xt，是用来存储所有table的，

 struct net {
 #ifdef CONFIG_NETFILTER
     struct netns_nf        nf;
     struct netns_xt        xt;
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
     struct netns_ct        ct;
 #endif
 #if defined(CONFIG_NF_TABLES) || defined(CONFIG_NF_TABLES_MODULE)
     struct netns_nftables    nft;
 #endif
 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
     struct netns_nf_frag    nf_frag;
 #endif
     struct sock        *nfnl;
     struct sock        *nfnl_stash;
 #if IS_ENABLED(CONFIG_NETFILTER_NETLINK_ACCT)
     struct list_head        nfnl_acct_list;
 #endif
 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
     struct list_head    nfct_timeout_list;
 #endif
 };

netns_xt结构的成员如下，其中tables存储了多种协议对应的table链表，每种协议对应一个链表，多种table存储在自己所属协议的链表上；

 struct netns_xt {
     struct list_head tables[NFPROTO_NUMPROTO];
     bool notrack_deprecated_warning;
     bool clusterip_deprecated_warning;
 #if defined(CONFIG_BRIDGE_NF_EBTABLES) || \
     defined(CONFIG_BRIDGE_NF_EBTABLES_MODULE)
     struct ebt_table *broute_table;
     struct ebt_table *frame_filter;
     struct ebt_table *frame_nat;
 #endif
 };

接下来，再来看下table结构，定义每个具体类型的table：

 /* 对应iptables表，定义表的通用信息 */
 struct xt_table {
     struct list_head list;

     /* What hooks you will enter on */
     /* 该表关注的钩子点 */
     unsigned int valid_hooks;

     /* Man behind the curtain... */
     /* 私有数据，真正的规则，指向xt_table_info */
     struct xt_table_info *private;

     /* Set this to THIS_MODULE if you are a module, otherwise NULL */
     /* 模块名 */
     struct module *me;

     /* 协议族 */
     u_int8_t af;        /* address/protocol family */
     /* 优先级 */
     int priority;        /* hook order */

     /* called when table is needed in the given netns */
     int (*table_init)(struct net *net);

     /* A unique name... */
     /* 表名称 */
     const char name[XT_TABLE_MAXNAMELEN];
 };

xt_table的private成员又指向了xt_table_info结构，存储真正的规则相关信息，包括入口和偏移；

 struct xt_table_info {
     /* Size per table */
     /* 表大小，占用的内存空间 */
     unsigned int size;
     /* Number of entries: FIXME. --RR */
     /* 表中规则数量 */
     unsigned int number;
     /* Initial number of entries. Needed for module usage count */
     /* 初始的规则数量，用于模块计数 */
     unsigned int initial_entries;

     /* Entry points and underflows */
     /* 钩子规则入口，相对于下面的entries偏移量 */
     unsigned int hook_entry[NF_INET_NUMHOOKS];
     /* 与hook_entry相对应的规则表上限偏移量，当无规则录入时，hook_entry和underflow均为0 */
     unsigned int underflow[NF_INET_NUMHOOKS];

     /*
      * Number of user chains. Since tables cannot have loops, at most
      * @stacksize jumps (number of user chains) can possibly be made.
      */
     unsigned int stacksize;
     void ***jumpstack;

     /* 每个cpu的ipt_entry指针，指向ipt_entry的首地址 */
     unsigned char entries[] __aligned();
 };

xt_table_info结构的entries成员指向了匹配规则的入口，入口的每个数组包含了多个rule；

rule

ipt_standard结构对应着一条rule，其中包含ipt_entry+xt_entry_match+xt_standard_target；

 /* Standard entry. */
 struct ipt_standard {
     struct ipt_entry entry;
     struct xt_standard_target target;
 };

rule是规则的整体，下面分别介绍规则中的每个成员：

match

用于规则匹配，其中分为标准match和扩展match；

标准match通过匹配ipt_entry->ip成员进行，主要是ip中包含的地址，接口，协议信息等；

扩展match通过xt_entry_match成员进行，是标准match的扩展，通常以模块或者插件形式存在；

ipt_entry是一条规则的入口，其首部包含标准match结构，其余字段存储了target偏移，下一个ipt_entry的偏移，扩展match入口等：

 struct ipt_entry {
     struct ipt_ip ip;

     /* Mark with fields that we care about. */
     unsigned int nfcache;

     /* Size of ipt_entry + matches */
     /* 规则中的target相对于该ipt_entry首地址的偏移 */
     __u16 target_offset;
     /* Size of ipt_entry + matches + target */
     /* 下一个规则相对于该ipt_entry首地址的偏移 */
     __u16 next_offset;

     /* Back pointer */
     /*
         判断table表中的规则链是否存在环路，
         或 遍历规则链时用于用户自定义链的规则执行完时返回到主链时候使用
      */
     unsigned int comefrom;

     /* Packet and byte counters. */
     struct xt_counters counters;

     /* The matches (if any), then the target. */
     /*
         match(es)与ipt_netry是连续的，这里用于动态扩展match的内存
     */
     unsigned char elems[];
 };

ipt_entry中包含ipt_ip结构，用于标准match，匹配内容为源目的地址，入出口设备，协议等，其结构如下：

 /* 标准匹配 */
 struct ipt_ip {
     /* Source and destination IP addr */
     /* 源目的地址 */
     struct in_addr src, dst;
     /* Mask for src and dest IP addr */
     /* 源目的掩码 */
     struct in_addr smsk, dmsk;
     /* 入口出口设备 */
     char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
     /* 入口出口设备掩码 */
     unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];

     /* Protocol, 0 = ANY */
     /* 协议号 */
     __u16 proto;

     /* Flags word */
     __u8 flags;
     /* Inverse flags */
     /* 是否是反转匹配 */
     __u8 invflags;
 };

xt_entry_match紧接着ipt_entry，可能有多个，用于扩展match；

 struct xt_entry_match {
     union {
         struct {
             /* 该match所占用的内存大小 */
             __u16 match_size;

             /* Used by userspace */
             /* match名称 */
             char name[XT_EXTENSION_MAXNAMELEN];
             /* match版本 */
             __u8 revision;
         } user;
         struct {
             __u16 match_size;

             /* Used inside the kernel */
             struct xt_match *match;
         } kernel;

         /* Total length */
         __u16 match_size;
     } u;

     /* 下一个match关联 */
     unsigned char data[];
 };

target

在某条规则匹配之后，执行的动作；也分为标准target和扩展target；

标准target：t->u.kernel.target->target为NULL，则为标准target，根据verdict返回值决定如何进行下一步处理；

扩展target：t->u.kernel.target->target不为NULL，则为扩展target，这时候需要执行该target函数；

xt_standard_target对xt_entry_target成员进行了封装，增加了verdict，该字段用于返回处理结果给Netfilter；

 struct xt_standard_target {
     struct xt_entry_target target;
     int verdict;
 };

xt_entry_target结构的定义与match的形式几乎是一致的；

 struct xt_entry_target {
     union {
         struct {
             __u16 target_size;

             /* Used by userspace */
             char name[XT_EXTENSION_MAXNAMELEN];
             __u8 revision;
         } user;
         struct {
             __u16 target_size;

             /* Used inside the kernel */
             struct xt_target *target;
         } kernel;

         /* Total length */
         __u16 target_size;
     } u;

     unsigned char data[];
 };