linuxÄÚºËnetfilterµÄʵÏÖÒÔ¼°ipset

netfilterµÄʵÏÖ»úÖÆ»ùÓÚËĸö²ã´ÎµÄÆ¥Å䣬Êý¾Ý°üÔÚÿ¸ö²ã´Î¶¼Òª¾­¹ýÒ»¸ö¹ýÂËÁ´±í£¬µÚÒ»¸ö²ã´Î¾ÍÊÇhook£¬ÖÚËùÖÜÖªlinuxÄÚºËÖÐÒ»¹²ÓµÓÐ5¸öhooks£¬µ±È»ÄãÒ²¿ÉÒÔ×Ô¼ºÐÞ¸ÄÄÚºËÔÚÈκεط½Ìí¼Óhook£»µÚ¶þ¸ö²ã´Î¾ÍÊÇÿ¸öhookÏÂÃæµÄtables£¬Ã¿Ò»¸öhook¶¼¹ý¹ÒÔØÁã¸ö»òÕßÈô¸É¸ötables£¬Êý¾Ý°üÒªÒ»¸öÒ»¸ö¾­¹ýÕâЩtables£»µÚÈý¸ö²ã´Î¾ÍÊÇrule£¬Ã¿¸ötableÏÂÃæÓµÓÐÁã¸ö»òÕßÈô¸É¸örule£¬Êý¾Ý°üÒªÒÀ´Î¾­¹ýÕâЩrules£¬Ö»ÒªÓÐÒ»¸örule¶ÔÊý¾Ý°ü½øÐÐÁ˲þö£¬ÄÇô½«²»ÔÙ¾­¹ý¸ÃhookµÄ¸ÃtableµÄ¶ÔÓ¦ruleµÄºóÃærules£»µÚËĸö²ã´ÎÊÇmatchs£¬ºÍrulesµÄ±éÀúÕýºÃÏà·´£¬Êý¾Ý°üÖ»ÓÐÔÚ¶ÔÓ¦ruleÏÂÃæµÄËùÓеÄmatchs¶¼Æ¥Åäºó²ÅËãÆ¥Åä¡£
     ÔÚÄÚºËÖУ¬netfilterÊÇÓÉÏÂÃæ4¸öºËÐĽṹÌåÖ§³ÅÆðÀ´µÄ£º
struct xt_table_info
{
    unsigned int size;
    unsigned int number;
    unsigned int initial_entries;
    unsigned int hook_entry[NF_IP_NUMHOOKS];
    unsigned int underflow[NF_IP_NUMHOOKS];
    char *entries[NR_CPUS];
};
entries[cpu]Ö¸ÏòÁËÒ»¸öipt_entryÊý×飬¸ÃÊý×éµÄÄÚ´æ×éÖ¯ÐÎʽÊÇƽ̹µÄ£¬Í¨¹ýipt_entryµÄnext_offset×ֶνøÐбéÀú£º
struct ipt_entry
{
    struct ipt_ip ip;
    unsigned int nfcache;
    u_int16_t target_offset;
    u_int16_t next_offset;
    unsigned int comefrom;
    struct xt_counters counters;
    unsigned char elems[0];
};
elemsÖ¸ÏòÁËÒ»¿éƽ̹ÄÚ´æģʽµÄ£¬°üº¬ÁËÈô¸É¸ömatchsºÍÒ»¸ötarget£¬targetͨ¹ýtarget_offsetÀ´¶¨Î»£¬¸÷¸ömatchsÕýÈçÉÏÃæËù˵£¬Í¨¹ýnext_offsetÀ´½øÐбéÀúµÄ£º
struct xt_entry_match
{
    union {
        struct {
            u_int16_t match_size;
            char name[XT_FUNCTION_MAXNAMELEN-1];
            u_int8_t revision;
        } user;
        struct {
&nbs