Linux netfilterÔ´Âë·ÖÎö(1)

תÌù×Ô:http://alexanderlaw.blog.hexun.com/8960896_d.html
Linux netfilterÔ´Âë·ÖÎö(1)
ÄÚÈÝ»ù±¾ÉÏÀ´×ÔÁ½ÆªÎÄÕÂ:
¡¶NetfilterÔ´Âë·ÖÎö¡·—£¨¶À¹Â¾Å¼úhttp://www.skynet.org.cn/index.php£©
¡¶Linux NetfilterʵÏÖ»úÖƺÍÀ©Õ¹¼¼Êõ¡·——£¨ÑîɳÖÞ ¹ú·À¿Æ¼¼´óѧ¼ÆËã»úѧԺ£©
Ò»¡¢   IP±¨ÎĵĽÓÊÕµ½hookº¯ÊýµÄµ÷ÓÃ
 
1.1  ip_input.c    ip_rcv()º¯Êý
ÒÔ½ÓÊÕµ½µÄ±¨ÎÄΪÀý£¬ÀàËƵĻ¹ÓÐip_forward(ip_forward.c)ºÍip_output(ip_output.c)
int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
{
    struct iphdr *iph;   //¶¨ÒåÒ»¸öip±¨ÎĵÄÊý¾Ý±¨Í·
    u32 len;
    if (skb->pkt_type == PACKET_OTHERHOST)
       goto drop;  //Êý¾Ý°ü²»ÊÇ·¢¸øÎÒÃǵÄ
    IP_INC_STATS_BH(IPSTATS_MIB_INRECEIVES); //ÊÕµ½Êý¾Ý°üͳ¼ÆÁ¿¼Ó1
    if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
   {
/* Èç¹ûÊý¾Ý±¨Êǹ²ÏíµÄ£¬Ôò¸´ÖÆÒ»¸ö³öÀ´£¬´Ëʱ¸´Öƶø³öµÄÒѾ­ºÍsocketÍÑÀëÁ˹Øϵ */
      IP_INC_STATS_BH(IPSTATS_MIB_INDISCARDS);
      goto out;
   }
   if (!pskb_may_pull(skb, sizeof(struct iphdr)))
     goto inhdr_error;  //¶ÔÊý¾Ý±¨µÄÍ·³¤¶È½øÐмì²é£¬
 
   iph = skb->nh.iph;  //È¡µÃÊý¾Ý±¨µÄÍ·²¿Î»ÖÃ
  if (iph->ihl < 5 || iph->version != 4)  //°æ±¾ºÅ»òÕßÍ·³¤¶È²»¶Ô£¬
    goto inhdr_error; //Í·³¤¶ÈÊÇÒÔ4×Ö½ÚΪµ¥Î»µÄ£¬ËùÒÔ5±íʾµÄÊÇ20×Ö½Ú
  if (!pskb_may_pull(skb, iph->ihl*4))
    goto inhdr_error;
 
  if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
     goto inhdr_error; //¼ì²é±¨ÎĵļìÑéºÍ×Ö¶Î
  len = ntohs(iph->tot_len);
 if (skb->len < len || len < (iph->ihl*4))
    goto inhdr_error; //Õû¸ö±¨Îij¤¶È²»¿ÉÄܱȱ¨Í·³¤¶ÈС
 if (pskb_tr