概述
通过钩子点和优先级的代码追溯,得到如下对应关系图,图中横坐标为钩子点,纵坐标为优先级,每个钩子点上的钩子函数按照优先级排布;
详细分析
5个钩子点如下所示,在这个五个钩子点上的钩子函数按照上面的优先级从小到大排列;
/* IP Hooks */
/* After promisc drops, checksum checks. */
#define NF_IP_PRE_ROUTING 0
/* If the packet is destined for this box. */
#define NF_IP_LOCAL_IN 1
/* If the packet is destined for another interface. */
#define NF_IP_FORWARD 2
/* Packets coming from a local process. */
#define NF_IP_LOCAL_OUT 3
/* Packets about to hit the wire. */
#define NF_IP_POST_ROUTING 4
#define NF_IP_NUMHOOKS 5
钩子函数的优先级,范围为INT_MINT~INT_MAX,从枚举的名称可以粗略的看出各个表的钩子函数工作的优先级关系;
enum nf_ip_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_CONNTRACK_DEFRAG = -,
NF_IP_PRI_RAW = -,
NF_IP_PRI_SELINUX_FIRST = -,
NF_IP_PRI_CONNTRACK = -,
NF_IP_PRI_MANGLE = -,
NF_IP_PRI_NAT_DST = -,
NF_IP_PRI_FILTER = ,
NF_IP_PRI_SECURITY = ,
NF_IP_PRI_NAT_SRC = ,
NF_IP_PRI_SELINUX_LAST = ,
NF_IP_PRI_CONNTRACK_HELPER = ,
NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
NF_IP_PRI_LAST = INT_MAX,
};通过搜索关心的优先级,可以查看对应的钩子函数,如下NF_IP_PRI_CONNTRACK_DEFRAG对应的钩子函数;可见,所在的钩子点为PRE_ROUTING和LOCAL_OUT,钩子函数均为ipv4_conntrack_defrag;使用这种方式一次查看每个优先级,得到本文开头的关系图;
static struct nf_hook_ops ipv4_defrag_ops[] = {
{
.hook = ipv4_conntrack_defrag,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_CONNTRACK_DEFRAG,
},
{
.hook = ipv4_conntrack_defrag,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_CONNTRACK_DEFRAG,
},
};