如何使用 net_dev_add() API 过滤和拦截 Linux 数据包? [英] How to filter and intercept Linux packets by using net_dev_add() API?

问题描述

我正在为 linux 编写以太网网络驱动程序.我想接收数据包，编辑并重新发送它们.我知道如何在 packet_interceptor 函数中编辑数据包，但是如何在此函数中丢弃传入的数据包??

I'm writing ethernet network driver for linux. I want to receive packets, edit and resend them. I know how to edit the packet in packet_interceptor function, but how can I drop incoming packets in this function??

#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/sock.h>

struct packet_type my_proto;

int packet_interceptor(struct sk_buff *skb,
    struct net_device *dev,
    struct packet_type *pt,
    struct net_device *orig_dev) {

    // I dont want certain packets go to upper in net_devices for further processing.
    // How can I drop sk_buff here?!

  return 0;
}

static int hello_init( void ) {
    printk(KERN_INFO "Hello, world!
");

    my_proto.type = htons(ETH_P_ALL);
    my_proto.dev = NULL;
    my_proto.func = packet_interceptor;

    dev_add_pack(&my_proto);
    return 0;
}    

static void hello_exit(void) {
  dev_remove_pack(&my_proto);
  printk(KERN_INFO "Bye, world
");
}

module_init(hello_init);
module_exit(hello_exit);

推荐答案

您正在让您的模块处理所有以太网数据包.Linux 会将数据包发送到所有匹配的协议处理程序.由于 IP 已在您的内核中注册，因此您的模块和 ip_rcv 都将接收所有带有 IP 标头的 SKB.

You are making your module handle all ethernet packets. Linux will send packets to all matching protocol handlers. Since IP is already registered in your kernel, both your module and ip_rcv will receive all SKBs with IP headers.

如果不更改内核代码，您将无法更改此行为.一种可能性是创建一个 netfilter 模块.这样，您可以在 ip_rcv 函数之后拦截数据包，并根据需要丢弃它(在 Netfilters PREROUTING 挂钩中).

You cannot change this behaviour without changing the kernel code. One possibility is to create a netfilter module instead. This way, you can intercept the packet after the ip_rcv function and drop it if you want to (in Netfilters PREROUTING hook).

这是一个小的 Netfilter 模块，它是从我已经编写的一些代码中提取的.本模块未完成，但主要内容已到位.

Here is a small Netfilter module which I extracted from some code I had already written. This module is unfinished, but the main stuff are in place.

#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>

// Handler function
static unsigned int my_handler (
    unsigned int hook,
    struct sk_buff *skb,
    const struct net_device *in,
    const struct net_device *out,
    int (*okfn)(struct sk_buff *))
{
    return NF_ACCEPT;
// or
    return NF_DROP;
}

// Handler registering struct
static struct nf_hook_ops my_hook __read_mostly = {
    .hook = my_handler,
    .pf = NFPROTO_IPV4,
    .hooknum = (1 << NF_INET_PRE_ROUTING),
    .priority = NF_IP_PRI_FIRST // My hook will be run before any other netfilter hook
};

int my_init() {
    int err = nf_register_hook (&my_hook);
    if (err) {
            printk (KERN_ERR "Could not register hook
");
    }
    return err;
}

这篇关于如何使用 net_dev_add() API 过滤和拦截 Linux 数据包?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！