Linux netfilterÔ´Âë·ÖÎö(2)

תÌù×Ôhttp://alexanderlaw.blog.hexun.com/8968771_d.html
¶þ¡¢ipt_tableÊý¾Ý½á¹¹ºÍ±íµÄ³õʼ»¯
 
2.1  include/linux/netfilter_ipv4/ip_tables.h   struct  ipt_table ±í½á¹¹
struct ipt_table
{
struct list_head list;
/* ±íÁ´ */
char name[IPT_TABLE_MAXNAMELEN];
/* ±íÃû£¬Èç"filter"¡¢"nat"µÈ£¬ÎªÁËÂú×ã×Ô¶¯Ä£¿é¼ÓÔصÄÉè¼Æ£¬°üº¬¸Ã±íµÄÄ£¿éÓ¦ÃüÃûΪiptable_'name'.o */
struct ipt_replace *table;
/* ±íÄ£×Ó£¬³õʼΪinitial_table.repl */
unsigned int valid_hooks;
/* λÏòÁ¿£¬±êʾ±¾±íËùÓ°ÏìµÄHOOK */
rwlock_t lock;
/* ¶ÁдËø£¬³õʼΪ´ò¿ª×´Ì¬ */
struct ipt_table_info *private;
/* iptableµÄÊý¾ÝÇø£¬¼ûÏ */
struct module *me;
/* ÊÇ·ñÔÚÄ£¿éÖж¨Òå */
};
 
 
 
2.2  struct ipt_table_infoÊÇʵ¼ÊÃèÊö±íµÄÊý¾Ý½á¹¹ ip_tables.c
struct ipt_table_info
{
unsigned int size;
/* ±í´óС */
unsigned int number;
/* ±íÖеĹæÔòÊý */
unsigned int initial_entries;
/* ³õʼµÄ¹æÔòÊý£¬ÓÃÓÚÄ£¿é¼ÆÊý */
unsigned int hook_entry[NF_IP_NUMHOOKS];
/* ¼Ç¼ËùÓ°ÏìµÄHOOKµÄ¹æÔòÈë¿ÚÏà¶ÔÓÚÏÂÃæµÄentries±äÁ¿µÄÆ«ÒÆÁ¿ */
unsigned int underflow[NF_IP_NUMHOOKS];
/* Óëhook_entryÏà¶ÔÓ¦µÄ¹æÔò±íÉÏÏÞÆ«ÒÆÁ¿£¬µ±ÎÞ¹æÔò¼Èëʱ£¬ÏàÓ¦µÄhook_entryºÍunderflow¾ùΪ0 */
char entries[0] ____cacheline_aligned;
/* ¹æÔò±íÈë¿Ú */
};
 
2.3   include/linux/netfilter_ipv4  ¹æÔòÓÃstruct ipt_entry½á¹¹±íʾ£¬°üº¬Æ¥ÅäÓõÄIPÍ·²¿·Ö¡¢Ò»¸öTargetºÍ0¸ö»ò¶à¸öMatch¡£ÓÉÓÚMatchÊý²»¶¨£¬ËùÒÔÒ»Ìõ¹æÔòʵ¼ÊµÄÕ¼ÓÿռäÊǿɱäµÄ¡£½á¹¹¶¨ÒåÈçÏÂ
 
struct ipt_entry
{
struct ipt_ip ip;
/* ËùҪƥÅäµÄ±¨ÎĵÄIPÍ·ÐÅÏ¢ */
unsigned int nfcache;
/* λÏòÁ¿£¬±êʾ±¾¹æÔò¹ØÐı¨ÎĵÄʲô²¿·Ö£¬ÔÝδʹÓà */
u_int16_t target_offset;
/* targetÇøµÄÆ«ÒÆ£¬Í¨³£targetÇøλÓÚmatchÇøÖ®ºó£¬¶ømatchÇøÔòÔÚipt_entryµÄĩβ£»
³õʼ»¯Îªsizeof(struct ipt_entry)£¬¼´¼Ù¶¨Ã»ÓÐmatch */
u_int16_t next_offset;
/* ÏÂÒ»Ìõ¹æÔòÏà¶ÔÓÚ±¾¹æÔòµÄÆ«ÒÆ£¬Ò²¼´±¾¹æÔòËùÓÿռäµÄ×ܺͣ¬
³õʼ»¯Îªsizeof(struct ipt_entry)+sizeof(struct ipt_target)£¬¼´Ã»ÓÐmatch */
unsigned int comefrom;
/* ¹æÔò·µ»Øµã£¬±ê¼Çµ÷Óñ¾¹æÔòµÄHOOKºÅ£¬¿ÉÓÃÓÚ¼ì²é¹æÔòµÄ