netfilter-钩子函数的框架程序(转自ggj.cublog.cn )
时间:2006-10-15 来源:迷信的兔子
netfilter简单但完整的框架程序
#ifndef __KERNEL__
#define __KERNEL__
#endif
#ifndef MODULE
#define MODULE
#endif
#include<linux/module.h>
#include<linux/kernel.h>
#include<linux/netfilter.h>
#include<linux/netfilter_ipv4.h>
#include<linux/netfilter_ipv6.h>
//#include<linux/ip.h>
#include<linux/tcp.h>
#include<linux/skbuff.h>
#include<linux/in.h>//for IPPROTO_TCP IP ICMP
#include<linux/if_ether.h>//for ETH_P_IP ETH_P_ARP
#include<linux/types.h>
#include<linux/netdevice.h>
#include<net/ip.h>
#include<net/ipip.h> static struct nf_hook_ops mytunnel_ops;
static struct nf_hook_ops mytunnel_ops_2;
static struct nf_hook_ops mytunnel_ops_3;
static struct nf_hook_ops mytunnel_ops_4;
static struct nf_hook_ops mytunnel_ops_5;
struct sk_buff *sock_skb;
struct sk_buff *sock_skb1;
struct sk_buff *sock_skb2;
struct sk_buff *sock_skb3;
struct sk_buff *sock_skb4;
struct sk_buff *sock_skb5;
struct tcphdr *tcph;
struct iphdr *iph;
struct ethhdr *eth;
unsigned char * destport="\x16\xe2";
unsigned char * nottruedp="\x16\xe3";
unsigned char * truedp="\xe3\x16";
unsigned char * daddr="\x0a\x1e\x54\x6A";
unsigned char* saddr="\xC0\xA8\x1\x1";
int i,j;
int max_headroom;
unsigned int my_hook(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
sock_skb=*skb;
// sock_skb1=skb_copy(*skb,GFP_ATOMIC); //okfn(sock_skb1);
// printk("iii=%d\n",i);
//ip_output(sock_skb);
//IPTUNNEL_XMIT();
if(sock_skb)
{
if(sock_skb->nh.iph)
{
iph=sock_skb->nh.iph;
if(iph->daddr==*(unsigned int *)saddr)
{ printk("sip=%u,dip=%u,protocol=%u\n",iph->saddr,iph->daddr,iph->protocol);
/*
if(iph->protocol==41)
{
iph->protocol=6;
printk("che=%u\n",iph->check);
ip_send_check(iph);
printk("newche=%u,new pro=%u\n",iph->check,iph->protocol);
}
*/
}
}
if(sock_skb->nh.iph)
{
//iph=sock_skb1->nh.iph;
//printk("tos=%u\n",iph->tos);
//iph->tos=3;
//skb_queue_head(sock_skb->list,sock_skb1);
//skb_unlink(sock_skb,sock_skb->list);
//kfree_skb(sock_skb);
/*
if(iph->tos!=3)
{
iph->tos=3;
return NF_REPEAT;
}
else
{ sock_skb1=skb_copy(sock_skb,GFP_ATOMIC);
i=dev_queue_xmit(sock_skb1);
return NF_DROP;
}
*/
}
}
/*
sock_skb->h.raw = sock_skb->nh.raw;
max_headroom = (((in->hard_header_len+15)&~15)+sizeof(struct iphdr));
if (skb_headroom(sock_skb) < max_headroom || skb_cloned(sock_skb) || skb_shared(sock_skb))
{
struct sk_buff *new_skb = skb_realloc_headroom(sock_skb, max_headroom);
if (!new_skb)
{
return NF_ACCEPT;
}
if (sock_skb->sk)
{
skb_set_owner_w(new_skb, sock_skb->sk);
dev_kfree_skb(sock_skb);
sock_skb = new_skb;
}
sock_skb->nh.raw = skb_push(sock_skb, sizeof(struct iphdr));
memset(&(IPCB(sock_skb)->opt), 0, sizeof(IPCB(sock_skb)->opt));
iph = sock_skb->nh.iph;
iph->version = 4;
iph->ihl = sizeof(struct iphdr)>>2;
iph->frag_off = 0; iph->protocol = IPPROTO_TCP;
iph->tos = 0;
iph->daddr = *(unsigned int *)daddr;
iph->saddr = *(unsigned int *)saddr; sock_skb->ip_summed = CHECKSUM_NONE;
//iph->tot_len = htons(sock_skb->len);
ip_send_check(iph);
}
*/
return NF_ACCEPT;
}
unsigned int my_hook_2(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
struct iphdr *iph2;
sock_skb2=*skb;
if(sock_skb2)
{
if(sock_skb2->nh.iph)
{
iph2=sock_skb2->nh.iph;
//printk("sip2=%u,dip2=%u,protocol2=%u\n",iph2->saddr,iph2->daddr,iph2->protocol);
if(iph2->daddr==*(unsigned int *)saddr)
{ printk("sip2=%u,dip2=%u,protocol2=%u\n",iph2->saddr,iph2->daddr,iph2->protocol);
if(iph2->protocol==6)
{
iph2->protocol=41;
ip_send_check(iph2);
}
}
}
/*
if(iph->protocol==IPPROTO_TCP)
{
tcph=sock_skb->h.th;
printk("ip=%d,ipaddr=%d\n",iph->daddr,*(unsigned int *)ipaddr);
if(tcph->dest==*(unsigned short *)destport && iph->daddr==*(unsigned int *)ipaddr)
{
printk("ip=%d,port=%d,destport:%d, \n",*(unsigned int *)ipaddr,tcph->dest,*(unsigned short *)destport);
printk("dp=%d,sp=%d\n",tcph->dest,tcph->source);
tcph->dest=*(unsigned short *)nottruedp ;
printk("port=%d\n",tcph->dest);
}
}
*/
}
return NF_ACCEPT;
} unsigned int my_hook_3(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
struct iphdr *iph3;
sock_skb3=*skb;
if(sock_skb3)
{
if(sock_skb3->nh.iph)
{
iph3=sock_skb3->nh.iph;
//printk("sip2=%u,dip2=%u,protocol2=%u\n",iph2->saddr,iph2->daddr,iph2->protocol);
if(iph3->daddr==*(unsigned int *)daddr)
{ printk("sip3=%u,dip3=%u,protocol3=%u\n",iph3->saddr,iph3->daddr,iph3->protocol);
/*
if(iph2->protocol==6)
{
iph2->protocol=41;
ip_send_check(iph2);
}
*/
}
}
/*
if(iph->protocol==IPPROTO_TCP)
{
tcph=sock_skb->h.th;
printk("ip=%d,ipaddr=%d\n",iph->daddr,*(unsigned int *)ipaddr);
if(tcph->dest==*(unsigned short *)destport && iph->daddr==*(unsigned int *)ipaddr)
{
printk("ip=%d,port=%d,destport:%d, \n",*(unsigned int *)ipaddr,tcph->dest,*(unsigned short *)destport);
printk("dp=%d,sp=%d\n",tcph->dest,tcph->source);
tcph->dest=*(unsigned short *)nottruedp ;
printk("port=%d\n",tcph->dest);
}
}
*/
}
return NF_ACCEPT;
}
unsigned int my_hook_4(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
struct iphdr *iph4;
sock_skb4=*skb;
if(sock_skb4)
{
if(sock_skb4->nh.iph)
{
iph4=sock_skb4->nh.iph;
//printk("sip2=%u,dip2=%u,protocol2=%u\n",iph2->saddr,iph2->daddr,iph2->protocol);
if(iph4->daddr==*(unsigned int *)daddr)
{ printk("sip4=%u,dip4=%u,protocol4=%u\n",iph4->saddr,iph4->daddr,iph4->protocol);
if(iph4->protocol==41)
{
iph4->protocol=6;
ip_send_check(iph4);
}
}
}
/*
if(iph->protocol==IPPROTO_TCP)
{
tcph=sock_skb->h.th;
printk("ip=%d,ipaddr=%d\n",iph->daddr,*(unsigned int *)ipaddr);
if(tcph->dest==*(unsigned short *)destport && iph->daddr==*(unsigned int *)ipaddr)
{
printk("ip=%d,port=%d,destport:%d, \n",*(unsigned int *)ipaddr,tcph->dest,*(unsigned short *)destport);
printk("dp=%d,sp=%d\n",tcph->dest,tcph->source);
tcph->dest=*(unsigned short *)nottruedp ;
printk("port=%d\n",tcph->dest);
}
}
*/
}
return NF_ACCEPT;
} unsigned int my_hook_5(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
struct iphdr *iph5;
sock_skb5=*skb;
if(sock_skb5)
{
if(sock_skb5->nh.iph)
{
iph5=sock_skb5->nh.iph;
//printk("sip2=%u,dip2=%u,protocol2=%u\n",iph2->saddr,iph2->daddr,iph2->protocol);
if(iph5->saddr==*(unsigned int *)saddr)
{ printk("sip5=%u,dip5=%u,protocol5=%u\n",iph5->saddr,iph5->daddr,iph5->protocol);
/*
if(iph2->protocol==6)
{
iph2->protocol=41;
ip_send_check(iph2);
}
*/
}
}
/*
if(iph->protocol==IPPROTO_TCP)
{
tcph=sock_skb->h.th;
printk("ip=%d,ipaddr=%d\n",iph->daddr,*(unsigned int *)ipaddr);
if(tcph->dest==*(unsigned short *)destport && iph->daddr==*(unsigned int *)ipaddr)
{
printk("ip=%d,port=%d,destport:%d, \n",*(unsigned int *)ipaddr,tcph->dest,*(unsigned short *)destport);
printk("dp=%d,sp=%d\n",tcph->dest,tcph->source);
tcph->dest=*(unsigned short *)nottruedp ;
printk("port=%d\n",tcph->dest);
}
}
*/
}
return NF_ACCEPT;
} MODULE_LICENSE("GPL");
int init_module()
{
mytunnel_ops.hook=my_hook;
mytunnel_ops.pf=PF_INET;
mytunnel_ops.hooknum=NF_IP_PRE_ROUTING;
mytunnel_ops.priority=NF_IP_PRI_FILTER+2; mytunnel_ops_2.hook=my_hook_2;
mytunnel_ops_2.pf=PF_INET;
mytunnel_ops_2.hooknum=NF_IP_LOCAL_IN;
mytunnel_ops_2.priority=NF_IP_PRI_FILTER+3; mytunnel_ops_3.hook=my_hook_3;
mytunnel_ops_3.pf=PF_INET;
mytunnel_ops_3.hooknum=NF_IP_FORWARD;
mytunnel_ops_3.priority=NF_IP_PRI_FILTER+4; mytunnel_ops_4.hook=my_hook_4;
mytunnel_ops_4.pf=PF_INET;
mytunnel_ops_4.hooknum=NF_IP_POST_ROUTING;
mytunnel_ops_4.priority=NF_IP_PRI_FILTER+5; mytunnel_ops_5.hook=my_hook_5;
mytunnel_ops_5.pf=PF_INET;
mytunnel_ops_5.hooknum=NF_IP_LOCAL_OUT;
mytunnel_ops_5.priority=NF_IP_PRI_FILTER+6; //nf_register_hook(&mytunnel_ops);
nf_register_hook(&mytunnel_ops_2);
//nf_register_hook(&mytunnel_ops_3);
nf_register_hook(&mytunnel_ops_4);
//nf_register_hook(&mytunnel_ops_5);
printk("<1>regidter tunnel ok\n"); return 0;
}
void cleanup_module()
{
//nf_unregister_hook(&mytunnel_ops);
nf_unregister_hook(&mytunnel_ops_2);
//nf_unregister_hook(&mytunnel_ops_3);
nf_unregister_hook(&mytunnel_ops_4);
//nf_unregister_hook(&mytunnel_ops_5);
printk("<1>unregidter tunnel ok\n");
}
#define __KERNEL__
#endif
#ifndef MODULE
#define MODULE
#endif
#include<linux/module.h>
#include<linux/kernel.h>
#include<linux/netfilter.h>
#include<linux/netfilter_ipv4.h>
#include<linux/netfilter_ipv6.h>
//#include<linux/ip.h>
#include<linux/tcp.h>
#include<linux/skbuff.h>
#include<linux/in.h>//for IPPROTO_TCP IP ICMP
#include<linux/if_ether.h>//for ETH_P_IP ETH_P_ARP
#include<linux/types.h>
#include<linux/netdevice.h>
#include<net/ip.h>
#include<net/ipip.h> static struct nf_hook_ops mytunnel_ops;
static struct nf_hook_ops mytunnel_ops_2;
static struct nf_hook_ops mytunnel_ops_3;
static struct nf_hook_ops mytunnel_ops_4;
static struct nf_hook_ops mytunnel_ops_5;
struct sk_buff *sock_skb;
struct sk_buff *sock_skb1;
struct sk_buff *sock_skb2;
struct sk_buff *sock_skb3;
struct sk_buff *sock_skb4;
struct sk_buff *sock_skb5;
struct tcphdr *tcph;
struct iphdr *iph;
struct ethhdr *eth;
unsigned char * destport="\x16\xe2";
unsigned char * nottruedp="\x16\xe3";
unsigned char * truedp="\xe3\x16";
unsigned char * daddr="\x0a\x1e\x54\x6A";
unsigned char* saddr="\xC0\xA8\x1\x1";
int i,j;
int max_headroom;
unsigned int my_hook(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
sock_skb=*skb;
// sock_skb1=skb_copy(*skb,GFP_ATOMIC); //okfn(sock_skb1);
// printk("iii=%d\n",i);
//ip_output(sock_skb);
//IPTUNNEL_XMIT();
if(sock_skb)
{
if(sock_skb->nh.iph)
{
iph=sock_skb->nh.iph;
if(iph->daddr==*(unsigned int *)saddr)
{ printk("sip=%u,dip=%u,protocol=%u\n",iph->saddr,iph->daddr,iph->protocol);
/*
if(iph->protocol==41)
{
iph->protocol=6;
printk("che=%u\n",iph->check);
ip_send_check(iph);
printk("newche=%u,new pro=%u\n",iph->check,iph->protocol);
}
*/
}
}
if(sock_skb->nh.iph)
{
//iph=sock_skb1->nh.iph;
//printk("tos=%u\n",iph->tos);
//iph->tos=3;
//skb_queue_head(sock_skb->list,sock_skb1);
//skb_unlink(sock_skb,sock_skb->list);
//kfree_skb(sock_skb);
/*
if(iph->tos!=3)
{
iph->tos=3;
return NF_REPEAT;
}
else
{ sock_skb1=skb_copy(sock_skb,GFP_ATOMIC);
i=dev_queue_xmit(sock_skb1);
return NF_DROP;
}
*/
}
}
/*
sock_skb->h.raw = sock_skb->nh.raw;
max_headroom = (((in->hard_header_len+15)&~15)+sizeof(struct iphdr));
if (skb_headroom(sock_skb) < max_headroom || skb_cloned(sock_skb) || skb_shared(sock_skb))
{
struct sk_buff *new_skb = skb_realloc_headroom(sock_skb, max_headroom);
if (!new_skb)
{
return NF_ACCEPT;
}
if (sock_skb->sk)
{
skb_set_owner_w(new_skb, sock_skb->sk);
dev_kfree_skb(sock_skb);
sock_skb = new_skb;
}
sock_skb->nh.raw = skb_push(sock_skb, sizeof(struct iphdr));
memset(&(IPCB(sock_skb)->opt), 0, sizeof(IPCB(sock_skb)->opt));
iph = sock_skb->nh.iph;
iph->version = 4;
iph->ihl = sizeof(struct iphdr)>>2;
iph->frag_off = 0; iph->protocol = IPPROTO_TCP;
iph->tos = 0;
iph->daddr = *(unsigned int *)daddr;
iph->saddr = *(unsigned int *)saddr; sock_skb->ip_summed = CHECKSUM_NONE;
//iph->tot_len = htons(sock_skb->len);
ip_send_check(iph);
}
*/
return NF_ACCEPT;
}
unsigned int my_hook_2(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
struct iphdr *iph2;
sock_skb2=*skb;
if(sock_skb2)
{
if(sock_skb2->nh.iph)
{
iph2=sock_skb2->nh.iph;
//printk("sip2=%u,dip2=%u,protocol2=%u\n",iph2->saddr,iph2->daddr,iph2->protocol);
if(iph2->daddr==*(unsigned int *)saddr)
{ printk("sip2=%u,dip2=%u,protocol2=%u\n",iph2->saddr,iph2->daddr,iph2->protocol);
if(iph2->protocol==6)
{
iph2->protocol=41;
ip_send_check(iph2);
}
}
}
/*
if(iph->protocol==IPPROTO_TCP)
{
tcph=sock_skb->h.th;
printk("ip=%d,ipaddr=%d\n",iph->daddr,*(unsigned int *)ipaddr);
if(tcph->dest==*(unsigned short *)destport && iph->daddr==*(unsigned int *)ipaddr)
{
printk("ip=%d,port=%d,destport:%d, \n",*(unsigned int *)ipaddr,tcph->dest,*(unsigned short *)destport);
printk("dp=%d,sp=%d\n",tcph->dest,tcph->source);
tcph->dest=*(unsigned short *)nottruedp ;
printk("port=%d\n",tcph->dest);
}
}
*/
}
return NF_ACCEPT;
} unsigned int my_hook_3(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
struct iphdr *iph3;
sock_skb3=*skb;
if(sock_skb3)
{
if(sock_skb3->nh.iph)
{
iph3=sock_skb3->nh.iph;
//printk("sip2=%u,dip2=%u,protocol2=%u\n",iph2->saddr,iph2->daddr,iph2->protocol);
if(iph3->daddr==*(unsigned int *)daddr)
{ printk("sip3=%u,dip3=%u,protocol3=%u\n",iph3->saddr,iph3->daddr,iph3->protocol);
/*
if(iph2->protocol==6)
{
iph2->protocol=41;
ip_send_check(iph2);
}
*/
}
}
/*
if(iph->protocol==IPPROTO_TCP)
{
tcph=sock_skb->h.th;
printk("ip=%d,ipaddr=%d\n",iph->daddr,*(unsigned int *)ipaddr);
if(tcph->dest==*(unsigned short *)destport && iph->daddr==*(unsigned int *)ipaddr)
{
printk("ip=%d,port=%d,destport:%d, \n",*(unsigned int *)ipaddr,tcph->dest,*(unsigned short *)destport);
printk("dp=%d,sp=%d\n",tcph->dest,tcph->source);
tcph->dest=*(unsigned short *)nottruedp ;
printk("port=%d\n",tcph->dest);
}
}
*/
}
return NF_ACCEPT;
}
unsigned int my_hook_4(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
struct iphdr *iph4;
sock_skb4=*skb;
if(sock_skb4)
{
if(sock_skb4->nh.iph)
{
iph4=sock_skb4->nh.iph;
//printk("sip2=%u,dip2=%u,protocol2=%u\n",iph2->saddr,iph2->daddr,iph2->protocol);
if(iph4->daddr==*(unsigned int *)daddr)
{ printk("sip4=%u,dip4=%u,protocol4=%u\n",iph4->saddr,iph4->daddr,iph4->protocol);
if(iph4->protocol==41)
{
iph4->protocol=6;
ip_send_check(iph4);
}
}
}
/*
if(iph->protocol==IPPROTO_TCP)
{
tcph=sock_skb->h.th;
printk("ip=%d,ipaddr=%d\n",iph->daddr,*(unsigned int *)ipaddr);
if(tcph->dest==*(unsigned short *)destport && iph->daddr==*(unsigned int *)ipaddr)
{
printk("ip=%d,port=%d,destport:%d, \n",*(unsigned int *)ipaddr,tcph->dest,*(unsigned short *)destport);
printk("dp=%d,sp=%d\n",tcph->dest,tcph->source);
tcph->dest=*(unsigned short *)nottruedp ;
printk("port=%d\n",tcph->dest);
}
}
*/
}
return NF_ACCEPT;
} unsigned int my_hook_5(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
struct iphdr *iph5;
sock_skb5=*skb;
if(sock_skb5)
{
if(sock_skb5->nh.iph)
{
iph5=sock_skb5->nh.iph;
//printk("sip2=%u,dip2=%u,protocol2=%u\n",iph2->saddr,iph2->daddr,iph2->protocol);
if(iph5->saddr==*(unsigned int *)saddr)
{ printk("sip5=%u,dip5=%u,protocol5=%u\n",iph5->saddr,iph5->daddr,iph5->protocol);
/*
if(iph2->protocol==6)
{
iph2->protocol=41;
ip_send_check(iph2);
}
*/
}
}
/*
if(iph->protocol==IPPROTO_TCP)
{
tcph=sock_skb->h.th;
printk("ip=%d,ipaddr=%d\n",iph->daddr,*(unsigned int *)ipaddr);
if(tcph->dest==*(unsigned short *)destport && iph->daddr==*(unsigned int *)ipaddr)
{
printk("ip=%d,port=%d,destport:%d, \n",*(unsigned int *)ipaddr,tcph->dest,*(unsigned short *)destport);
printk("dp=%d,sp=%d\n",tcph->dest,tcph->source);
tcph->dest=*(unsigned short *)nottruedp ;
printk("port=%d\n",tcph->dest);
}
}
*/
}
return NF_ACCEPT;
} MODULE_LICENSE("GPL");
int init_module()
{
mytunnel_ops.hook=my_hook;
mytunnel_ops.pf=PF_INET;
mytunnel_ops.hooknum=NF_IP_PRE_ROUTING;
mytunnel_ops.priority=NF_IP_PRI_FILTER+2; mytunnel_ops_2.hook=my_hook_2;
mytunnel_ops_2.pf=PF_INET;
mytunnel_ops_2.hooknum=NF_IP_LOCAL_IN;
mytunnel_ops_2.priority=NF_IP_PRI_FILTER+3; mytunnel_ops_3.hook=my_hook_3;
mytunnel_ops_3.pf=PF_INET;
mytunnel_ops_3.hooknum=NF_IP_FORWARD;
mytunnel_ops_3.priority=NF_IP_PRI_FILTER+4; mytunnel_ops_4.hook=my_hook_4;
mytunnel_ops_4.pf=PF_INET;
mytunnel_ops_4.hooknum=NF_IP_POST_ROUTING;
mytunnel_ops_4.priority=NF_IP_PRI_FILTER+5; mytunnel_ops_5.hook=my_hook_5;
mytunnel_ops_5.pf=PF_INET;
mytunnel_ops_5.hooknum=NF_IP_LOCAL_OUT;
mytunnel_ops_5.priority=NF_IP_PRI_FILTER+6; //nf_register_hook(&mytunnel_ops);
nf_register_hook(&mytunnel_ops_2);
//nf_register_hook(&mytunnel_ops_3);
nf_register_hook(&mytunnel_ops_4);
//nf_register_hook(&mytunnel_ops_5);
printk("<1>regidter tunnel ok\n"); return 0;
}
void cleanup_module()
{
//nf_unregister_hook(&mytunnel_ops);
nf_unregister_hook(&mytunnel_ops_2);
//nf_unregister_hook(&mytunnel_ops_3);
nf_unregister_hook(&mytunnel_ops_4);
//nf_unregister_hook(&mytunnel_ops_5);
printk("<1>unregidter tunnel ok\n");
}
相关阅读 更多 +
