如何使用net_dev_add()API过滤和拦截Linux数据包? [英] How to filter and intercept Linux packets by using net_dev_add() API?

问题描述

我正在为Linux编写以太网网络驱动程序.我想接收数据包，进行编辑并重新发送. 我知道如何在packet_interceptor函数中编辑数据包，但是如何在此函数中丢弃传入的数据包?

I'm writing ethernet network driver for linux. I want to receive packets, edit and resend them. I know how to edit the packet in packet_interceptor function, but how can I drop incoming packets in this function??

#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/sock.h>

struct packet_type my_proto;

int packet_interceptor(struct sk_buff *skb,
    struct net_device *dev,
    struct packet_type *pt,
    struct net_device *orig_dev) {

    // I dont want certain packets go to upper in net_devices for further processing.
    // How can I drop sk_buff here?!

  return 0;
}

static int hello_init( void ) {
    printk(KERN_INFO "Hello, world!\n");

    my_proto.type = htons(ETH_P_ALL);
    my_proto.dev = NULL;
    my_proto.func = packet_interceptor;

    dev_add_pack(&my_proto);
    return 0;
}    

static void hello_exit(void) {
  dev_remove_pack(&my_proto);
  printk(KERN_INFO "Bye, world\n");
}

module_init(hello_init);
module_exit(hello_exit);

推荐答案

您正在使模块处理所有以太网数据包. Linux会将数据包发送到所有匹配的协议处理程序.由于IP已经在内核中注册，因此您的模块和ip_rcv都将接收所有带有IP标头的SKB.

You are making your module handle all ethernet packets. Linux will send packets to all matching protocol handlers. Since IP is already registered in your kernel, both your module and ip_rcv will receive all SKBs with IP headers.

您必须先更改内核代码，才能更改此行为.一种可能性是改为创建一个netfilter模块.这样，您可以在ip_rcv函数之后截取该数据包并将其丢弃(如果需要)(在Netfilters PREROUTING挂钩中).

You cannot change this behaviour without changing the kernel code. One possibility is to create a netfilter module instead. This way, you can intercept the packet after the ip_rcv function and drop it if you want to (in Netfilters PREROUTING hook).

这是一个小的Netfilter模块，我从已经编写的一些代码中提取了该模块.该模块尚未完成，但主要内容已经准备就绪.

Here is a small Netfilter module which I extracted from some code I had already written. This module is unfinished, but the main stuff are in place.

#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>

// Handler function
static unsigned int my_handler (
    unsigned int hook,
    struct sk_buff *skb,
    const struct net_device *in,
    const struct net_device *out,
    int (*okfn)(struct sk_buff *))
{
    return NF_ACCEPT;
// or
    return NF_DROP;
}

// Handler registering struct
static struct nf_hook_ops my_hook __read_mostly = {
    .hook = my_handler,
    .pf = NFPROTO_IPV4,
    .hooknum = (1 << NF_INET_PRE_ROUTING),
    .priority = NF_IP_PRI_FIRST // My hook will be run before any other netfilter hook
};

int my_init() {
    int err = nf_register_hook (&my_hook);
    if (err) {
            printk (KERN_ERR "Could not register hook\n");
    }
    return err;
}

这篇关于如何使用net_dev_add()API过滤和拦截Linux数据包?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！