[ת]Linux NetfilterʵÏÖ»úÖƺÍÀ©Õ¹¼¼Êõ

Linux NetfilterʵÏÖ»úÖƺÍÀ©Õ¹¼¼Êõ
 
 
¼¶±ð£º ³õ¼¶
ÑîɳÖÞ
(pubb@163.net
)¹ú·À¿Æ¼¼´óѧ¼ÆËã»úѧԺ
2003 Äê 3 ÔÂ 01 ÈÕ
http://www.ibm.com/developerworks/cn/linux/l-ntflt/
2.4.xµÄÄÚºËÏà¶ÔÓÚ2.2.xÔÚIPЭÒéÕ»²¿·ÖÓбȽϴóµÄ¸Ä¶¯£¬
Netfilter-iptables¸üÊÇÆäÒ»´óÌØÉ«£¬ÓÉÓÚËü¹¦ÄÜÇ¿´ó£¬²¢ÇÒÓëÄÚºËÍêÃÀ½áºÏ£¬Òò´ËѸËÙ³ÉΪLinuxƽ̨ϽøÐÐÍøÂçÓ¦ÓÃÀ©Õ¹µÄÖ÷ÒªÀûÆ÷£¬
ÕâЩÀ©Õ¹²»½ö°üÀ¨·À»ðǽµÄʵÏÖ--ÕâÖ»ÊÇNetfilter-iptablesµÄ»ù±¾¹¦ÄÜ--»¹°üÀ¨¸÷ÖÖ±¨ÎÄ´¦Àí¹¤×÷£¨È籨ÎļÓÃÜ¡¢±¨ÎÄ·ÖÀàͳ¼ÆµÈ£©£¬Éõ
ÖÁ»¹¿ÉÒÔ½èÖúNetfilter-iptables»úÖÆÀ´ÊµÏÖÐéÄâרÓÃÍø£¨VPN£©¡£±¾ÎĽ«ÖÂÁ¦ÓÚÉîÈëÆÊÎöNetfilter-iptablesµÄ×éÖ¯½á
¹¹£¬²¢Ïêϸ½éÉÜÈçºÎ¶ÔÆä½øÐÐÀ©Õ¹¡£NetfilterÄ¿Ç°ÒÑÔÚARP¡¢IPv4ºÍIPv6ÖÐʵÏÖ£¬¿¼Âǵ½IPv4ÊÇÄ¿Ç°ÍøÂçÓ¦ÓõÄÖ÷Á÷£¬±¾ÎĽö¾ÍIPv4
µÄNetfilterʵÏÖ½øÐзÖÎö¡£
ÒªÏëÀí½âNetfilterµÄ¹¤×÷Ô­Àí£¬±ØÐë´Ó¶ÔLinux IP±¨ÎÄ´¦ÀíÁ÷³ÌµÄ·ÖÎö¿ªÊ¼£¬NetfilterÕýÊǽ«×Ô¼º½ôÃܵع¹½¨ÔÚÕâÒ»Á÷³ÌÖ®Öеġ£
1£® IP Packet Flowing
IP
ЭÒéÕ»ÊÇLinux²Ù×÷ϵͳµÄÖ÷Òª×é³É²¿·Ö£¬Ò²ÊÇLinuxµÄÌØÉ«Ö®Ò»£¬ËØÒÔ¸ßЧÎȶ¨Öø³Æ¡£NetfilterÓëIPЭÒéÕ»ÊÇÃÜÇнáºÏÔÚÒ»ÆðµÄ£¬ÒªÏëÀí½â
NetfilterµÄ¹¤×÷·½Ê½£¬±ØÐëÀí½âIPЭÒéÕ»ÊÇÈçºÎ¶Ô±¨ÎĽøÐд¦ÀíµÄ¡£ÏÂÃ潫ͨ¹ýÒ»¸ö¾­ÓÉIP
Tunnel´«ÊäµÄTCP±¨ÎĵÄÁ÷¶¯Â·¾¶£¬¼òÒª½éÉÜÒ»ÏÂIPv4ЭÒéÕ»£¨IP²ã£©µÄ½á¹¹ºÍ±¨ÎÄ´¦Àí¹ý³Ì¡£
IP TunnelÊÇ2.0.xÄں˾ÍÒѾ­ÌṩÁ˵ÄÐéÄâ¾ÖÓòÍø¼¼Êõ£¬ËüÔÚÄÚºËÖн¨Á¢Ò»¸öÐéÄâµÄÍøÂçÉ豸£¬½«Õý³£µÄ±¨ÎÄ£¨µÚ¶þ²ã£©·â×°ÔÚIP±¨ÎÄÖУ¬ÔÙͨ¹ýTCP/IPÍøÂç½øÐд«ËÍ¡£Èç¹ûÔÚÍø¹ØÖ®¼ä½¨Á¢IP Tunnel£¬²¢ÅäºÏARP±¨ÎĵĽâÎö£¬¾Í¿ÉÒÔʵÏÖÐéÄâ¾ÖÓòÍø¡£
ÎÒÃÇ´Ó±¨ÎĽøÈëIP TunnelÉ豸׼±¸·¢ËÍ¿ªÊ¼¡£
1.1±¨ÎÄ·¢ËÍ
ipipÄ£¿é´´½¨tunnelÉ豸£¨É豸ÃûΪtunl0~tunlx£©Ê±£¬ÉèÖñ¨ÎÄ·¢Ëͽӿڣ¨hard_start_xmit£©Îªipip_tunnel_xmit()£¬Á÷³Ì¼ûÏÂͼ£º


ͼ1 ±¨ÎÄ·¢ËÍÁ÷³Ì

1.2 ±¨ÎĽÓÊÕ
±¨ÎĽÓÊÕ´ÓÍø¿¨Çý¶¯³ÌÐò¿ªÊ¼£¬µ±Íø¿¨ÊÕµ½Ò»¸ö±¨ÎÄʱ£¬»á²úÉúÒ»¸öÖжϣ¬ÆäÇý¶¯³ÌÐòÖеÄÖжϷþÎñ³ÌÐò½«µ÷ÓÃÈ·¶¨µÄ½ÓÊÕº¯ÊýÀ´´¦Àí¡£ÒÔÏÂÈÔÒÔIP Tunnel±¨ÎÄΪÀý£¬Íø¿¨Çý¶¯³ÌÐòΪde4x5¡£Á÷³Ì·Ö³ÉÁ½¸ö½×¶Î£ºÇý¶¯³ÌÐòÖжϷþÎñ³ÌÐò½×¶ÎºÍIPЭÒéÕ»´¦Àí½×¶Î£¬¼ûÏÂͼ£º


ͼ2 ±¨ÎĽÓÊÕÁ÷³ÌÖ®Çý¶¯³ÌÐò½×¶Î




ͼ3 ±¨ÎĽÓÊÕÁ÷³Ì֮ЭÒéÕ»½×¶Î