nfnetlink and ip_queue

2011-01-10  来源:本站原创  分类:Internet  人气:80 

This document Copyleft owned yfydz all use under the GPL, can be freely copied, reproduced, reprinted, please maintain the integrity of the document, for any commercial purposes is strictly prohibited.
msn: [email protected]
Source: http://yfydz.cublog.cn

1.   Foreword  

netlink  The linux kernel and user space to achieve a method of communication  ,  Data to form a similar network packet transmission between the two  ,
  This previously described / proc, ioctl, and  setsockopt  A different way, another difference is that before these methods are user
  Space program took the initiative to request the kernel, equivalent to the client  ,  Kernel is equivalent to a server  :  The method is the kernel netlink and the use of
  User space can take the initiative to send data to each other  .
netlink  Linux kernel is now an essential part of the network protocol suite  ,  Specific code in net / netlink defined  .
 Initially netlink interface is mainly provided to the communication routing procedures to modify the system and the kernel routing table  ,  Starting from the 2.2 kernel mode firewall
  Block has also been supported by netlink  .  In the 2.4 kernel  ,netlink  Support is implemented in ip_queue  ,  Another way to achieve
nfnetlink  , But only in  POM  There are patches, not to join the official kernel  :  To 2.6, nfnetlink into the official kernel  ,  And become
  Recommended firewall module netlink support  ,ip_queue  Although still in the kernel code, but has not recommended  (obsolete).

  The interface via netlink  ,netfilter  Can be sent to the user space network packet, the firewall log information  ,  And can be  netlink
  Connection tracking related code  net/netfilter/nfnetlink.c, net/netfilter/nfnetlink_conntrack.c,
net/netfilter/nfnetlink_queue.c, net/netfilter/nfnetlink_log.c  And other documents  .

  The following version of the kernel code  2.6.19.2.

2. netfilter  Initialization of netlink  

2.1 nfnetlink  Initialization
/* net/netfilter/nfnetlink.c */

static int __init nfnetlink_init(void)
{
 printk("Netfilter messages via NETLINK v%s.\n", nfversion);
//   The establishment of NETFILTER  NETLINK  Interface group number is  NFNLGRP_MAX
//   Receiver functions are user-space packet  nfnetlink_rcv
 nfnl = netlink_kernel_create(NETLINK_NETFILTER, NFNLGRP_MAX,
                              nfnetlink_rcv, THIS_MODULE);
 if (!nfnl) {
  printk(KERN_ERR "cannot initialize nfnetlink!\n");
  return -1;
 }
 return 0;
}

2.3 nfnetlink_queue  Initialization  

/* net/netfilter/nfnetlink_queue.c */
static int __init nfnetlink_queue_init(void)
{
 int i, status = -ENOMEM;
#ifdef CONFIG_PROC_FS
 struct proc_dir_entry *proc_nfqueue;
#endif

 for (i = 0; i < INSTANCE_BUCKETS; i++)
  INIT_HLIST_HEAD(&instance_table[i]);
//   The registration nfqueue  netlink  Socket notification
 netlink_register_notifier(&nfqnl_rtnl_notifier);
//   The registration nfnetlink  nfqueue  Subsystem
 status = nfnetlink_subsys_register(&nfqnl_subsys);
 if (status < 0) {
  printk(KERN_ERR "nf_queue: failed to create netlink socket\n");
  goto cleanup_netlink_notifier;
 }
......
}

2.3 ip_queue  Initialization  

/* net/ipv4/netfilter/ip_queue.c */
static int __init ip_queue_init(void)
{
 int status = -ENOMEM;
 struct proc_dir_entry *proc;

 netlink_register_notifier(&ipq_nl_notifier);
//   Type of establishment FIREWALL  NETLINK  Interface group number is  0
//   Receiver functions are user-space packet  ipq_rcv_sk
 ipqnl = netlink_kernel_create(NETLINK_FIREWALL, 0, ipq_rcv_sk,
          THIS_MODULE);
 if (ipqnl == NULL) {
  printk(KERN_ERR "ip_queue: failed to create netlink socket\n");
  goto cleanup_netlink_notifier;
 }
......
}

2.4   Summary
  Thus, nfnetlink and  ip_queue  Both are initialized by calling netlink_kernel_create function  netlink  Socket, ip_queue relatively simple function  ,  Is the packet transmission network, and  nfnetlink  Has been expanded to not only pass packets  ,  Also
  Can pass other data, such as log information  ,  Different types of data processing subsystem is distinguished by netlink  ,  Includes not only
ip_queue  Function also is extended  ,  This waste may be the reason ip_queue  .

3. netlink_kernel_create
/* net/netlink/af_netlink.c */
/*
 * We export these functions to other modules. They provide a
 * complete set of kernel non-blocking support for message
 * queueing.
 */
struct sock *
netlink_kernel_create(int unit, unsigned int groups,
// unit  Netlink interface type that  ,  There ROUTE, FIREWALL, IP6_FW, XFRM etc.
//   Maximum  MAX_LINKS
// groups  Netlink interface for specific types of group number
                      void (*input)(struct sock *sk, int len),
                      struct module *module)
{
 struct socket *sock;
 struct sock *sk;
 struct netlink_sock *nlk;
 unsigned long *listeners = NULL;
 BUG_ON(!nl_table);
// unit  Range check
 if (unit<0 || unit>=MAX_LINKS)
  return NULL;
//   The establishment of netlink  socket
 if (sock_create_lite(PF_NETLINK, SOCK_DGRAM, unit, &sock))
  return NULL;
//   The establishment of unit types  netlink  Of  sock
 if (__netlink_create(sock, unit) < 0)
  goto out_sock_release;
//   The group number is less than 32 are set to  32
// ip_queue  In the parameter 0, nfnetlink in the parameter  NFNLGRP_MAX,  No more than  32
//   So the actual equivalence between the two
 if (groups < 32)
  groups = 32;
//   Listener
 listeners = kzalloc(NLGRPSZ(groups), GFP_KERNEL);
 if (!listeners)
  goto out_sock_release;
 sk = sock->sk;
 sk->sk_data_ready = netlink_data_ready;
// netlink  Interface input function, which is handling the direction of user space to kernel data
 if (input)
  nlk_sk(sk)->data_ready = input;
//   Insert the sock  HASH  Table
 if (netlink_insert(sk, 0))
  goto out_sock_release;
//   The netlink sock set some basic parameters
 nlk = nlk_sk(sk);
 nlk->flags |= NETLINK_KERNEL_SOCKET;
 netlink_table_grab();
 nl_table[unit].groups = groups;
 nl_table[unit].listeners = listeners;
 nl_table[unit].module = module;
 nl_table[unit].registered = 1;
 netlink_table_ungrab();
 return sk;
out_sock_release:
 kfree(listeners);
 sock_release(sock);
 return NULL;
}

4.   Conclusion  

nfnetlink  Use NETFILTER type  netlink  Socket, ip_queue use  FIREWALL  Netlink interface, the type of  ,  Theory can be distinguished, but because  nfnetlink  Already contains ip_queue and extends the functionality  ,  Recommended to use only nfnetlink  .
相关文章
  • nfnetlink and ip_queue 2011-01-10

    This document Copyleft owned yfydz all use under the GPL, can be freely copied, reproduced, reprinted, please maintain the integrity of the document, for any commercial purposes is strictly prohibited. msn: [email protected] Source: http://yfydz.

  • From ip_queue to nfnetlink_queue (on) 2011-01-10

    This document Copyleft owned yfydz all use under the GPL, can be freely copied, reproduced, reprinted, please maintain the integrity of the document, for any commercial purposes is strictly prohibited. msn: [email protected] Source: http://yfydz.

  • From ip_queue to nfnetlink_queue (next) 2011-01-10

    This document Copyleft owned yfydz all use under the GPL, can be freely copied, reproduced, reprinted, please maintain the integrity of the document, for any commercial purposes is strictly prohibited. msn: [email protected] Source: http://yfydz.

  • Realization of ip_queue 2011-01-10

    Copyleft this document owned by yfydz all, the use of GPL, free to copy, reprint, reproduced keep the documents for completeness, for any commercial purposes is strictly prohibited. msn: [email protected] Source: http://yfydz.cublog.cn 1. Preface

  • [To] set out in the AODV implementation scheme of linux 2010-12-03

    The general translation of the article, but like the original AODV Routing Protocol Implementation Design well, a good reference implementation of embedded AODV routing helpful switched: http://blog.chinaunix.net/u1/47073/showart_1357983.html AODV ma

  • That little knowledge of iptables 2011-05-24

    Learn to play the server firewall server must be on the lesson. Security linux firewall iptables configuration was good or bad is how the main, I think. Ever since, into the theme of the configuration of iptables. (Environment is centos 5.5) iptables

  • [Transfer] is contained in the linux implementations of AODV 2010-12-03

    The general translation of the article, but like the original AODV Routing Protocol Implementation Design well, a good reference implementation of embedded AODV routing helpful switched: http://blog.chinaunix.net/u1/47073/showart_1357983.html There a

  • 2.6.1 * Linux kernel TCP connection tracking 2011-01-10

    This document Copyleft owned yfydz all use under the GPL, can be freely copied, reproduced, reprinted, please maintain the integrity of the document, for any commercial purposes is strictly prohibited. msn: [email protected] Source: http://yfydz.

  • FTP Linux kernel processing to track the serial number of vulnerabilities in 2011-01-10

    This document Copyleft owned yfydz all use under the GPL, can be freely copied, reproduced, reprinted, please maintain the integrity of the document, Be used for any commercial purposes is strictly prohibited. msn: [email protected] Source: http:

  • iptables in such a small knowledge 2011-05-24

    Understand the server firewall server must be playing on the lesson. Security linux firewall iptables configuration is good or bad is how well, I think. Ever since, into the theme of the configuration of iptables. (Environment is centos 5.5) iptables

  • Linux 2.4中netfilter框架实现 2014-02-05

    Netfilter是linux2.4内核实现数据包过滤/数据包处理/NAT等的功能框架.该文讨论了linux 2.4内核的netfilter功能框架,还对基于netfilter框架上的包过滤,NAT和数据包处理(packet mangling)进行了讨论.阅读本文需要了解2.2内核中ipchains的原理和使用方法作为预备知识,若你没有这方面的知识,请阅读IPCHAINS-HOWTO. 第一部分:Netfilter基础和概念 一.什么是Netfilter Netfilter比以前任何一版Linu

  • CentOS中修改系统HASHSIZE大小 2014-11-11

    在启动系统后,直接编辑/etc/modprobe.conf文件,然后在最后面加一行: options ip_conntrack hashsize=100000 如果你使用的系统是之前版本的Fedora或其他发行版本的Linux系统,也有可能需要加的是 options nf_conntrack hashsize=100000 这个取决于你的系统里模块名到底是ip_conntrack还是nf_conntrack,我就被这模块名不同搞晕了.把Fedora的写法放到CentOS里去,结果怎么重新启动HA

  • 利用tcpcopy引流做模拟在线测试 2013-12-26

    一.工具介绍 Tcpcopy是一个分布式在线压力测试工具,可以将线上流量拷贝到测试机器,实时的模拟线上环境,达到在程序不上线的情况下实时承担线上流量的效果,尽早发现bug,增加上线信心. Tcpcopy是由网易技术部于2011年9月开源的一个项目,现在已经更新到0.4版本. 与传统的压力测试工具(如:abench)相比,tcpcopy的最大优势在于其实时及真实性,除了少量的丢包,完全拷贝线上流量到测试机器,真实的模拟线上流量的变化规律. 二.Tcpcopy的原理 1.流程 现在以nginx作为前

  • tcpcopy使用 2012-06-07

    tcpcopy可以当做一种压力测试工具,也可以获取真实的用户访问流量,从而模拟真实运行环境,tcpcopy的开发者这样介绍它: TCPCopy是一种请求复制(所有基于tcp的packets)工具,其应用领域较广,利用TCPCopy程序,可以把访问memcached的系统流量复制一份到membase系统中去.对于membase来说,这份流量就是访问membase的,跟直接上线 membase效果一样,就可以做各种试验,查看membase的各种特性. 主要有以下功能 1)分布式压力测试工具,利用在线

  • Linux 2.6.19.x 内核编译配置选项简介 2012-11-24

    转载自:http://www.douban.com/group/topic/15706557/ Code maturity level options 代码成熟度选项 Prompt for development and/or incomplete code/drivers 显示尚在开发中或尚未完成的代码与驱动.除非你是测试人员或者开发者,否则请勿选择 General setup 常规设置 Local version - append to kernel release 在内核版本后面加上自定义

  • 在pcDuino实现AP–wifi热点共享 2013-07-02

    前面有两篇文章,一篇是pcDuino内核开发指南,一篇是移植rt5370 soft AP驱动.是这篇文章的基础,如果你想实现本文介绍的效果请先完成前面文章介绍的内容. (一)支持iptables pcDuino的内核是不支持NAT的,很明显的标志是当你执行iptables -L的时候他会提示你需要更新内核.如果想实现,必须要重新配置内核.具体的配置过程请参照前面的文章,这里介绍配置的内容. [*] Networking support -> Networking options -> [*]