路由器上的Netfilter钩子没有被桥接接口调用 [英] Netfilter hook on router not getting called for bridged interfaces
问题描述
我有一个在路由器上运行的Linux内核模块:运行Linux 2.6.30的Netgear DGN2200v2).
I have a Linux kernel module that I'm running on a router: Netgear DGN2200v2 running Linux 2.6.30).
内核模块注册了一个netfilter钩子,如下所示:
The kernel module registers a netfilter hook like so:
static struct nf_hook_ops nfho;
// ...
nfho.hook = hook_func;
nfho.owner = THIS_MODULE;
nfho.hooknum = 0; /* NF_IP_PRE_ROUTING */
nfho.pf = 0x20000000; // PF_INET
nfho.priority = INT_MIN;
int rc = nf_register_hook(&nfho);
我有两台连接到路由器的机器,一台通过wifi,一台使用以太网电缆.路由器本身未连接到Internet(即我所有的测试都在隔离的网络上进行).
I have two machines connected to my router, one via wifi and one using an Ethernet cable. The router itself is not connected to the Internet (i.e. all of my testing is on an isolated network).
我的问题是,根据我的钩子函数中的printk,该钩子仅针对直接发送到路由器(即,如果从我的计算机ping路由器)或直接从路由器发送的数据包被调用.路由器(即,如果我远程登录到路由器并从中ping我的机器).
My problem is that according to the printks in my hook function, the hook is getting called only for packets that are being sent directly to the router (i.e. if I ping the router from my machine) or directly from the router (i.e. if I telnet to the router and ping my machine from it).
但是,如果两台计算机相互ping通,则不会调用该钩子,即使该流量显然仍流经路由器.
However, the hook is not being called if the two machines ping each other, even though this traffic obviously still flows through the router.
根据 http://www.tldp.org/HOWTO /html_single/Ethernet-Bridge-netfilter-HOWTO 和 http ://www.linux-kongress.org/2002/papers/lk2002-spenneberg.pdf ,如果我在路由器中设置了网桥,则netfilter(或iptables)应该能够过滤流经它的数据包.查看路由器上brctl的输出(我可以根据需要附加它),似乎已经建立了这样的网桥,但是我的钩子看不到这些数据包.
According to http://www.tldp.org/HOWTO/html_single/Ethernet-Bridge-netfilter-HOWTO and http://www.linux-kongress.org/2002/papers/lk2002-spenneberg.pdf, if I set up a bridge in my router, then netfilter (or iptables) should be able to filter packets flowing through it. Looking at the output of brctl on the router (I can attach it if needed), it seems that such a bridge is already set up, yet my hook is not seeing those packets.
是否也有一种方法来获取针对此类数据包的netfilter钩子?
Is there a way to get netfilter hooks called for such packets as well?
推荐答案
以防万一其他人遇到相同的问题-问题是我使用了错误类型的钩子.我应该使用PF_BRIDGE(0x07)而不是PF_INET(0x02).另请参见 http://ebtables.netfilter.org/ebtables- hacking/ebtables-hacking-HOWTO-4.html .
Just in case someone else runs into the same problem - the issue was that I used the wrong type of hook. I should have used PF_BRIDGE (0x07) rather than PF_INET (0x02). See also http://ebtables.netfilter.org/ebtables-hacking/ebtables-hacking-HOWTO-4.html.
这篇关于路由器上的Netfilter钩子没有被桥接接口调用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
