original in en Nicolas Bouliane
en to zh ����
/* Include file for additions: new matches and targets. */ struct iptables_match { struct iptables_match *next; ipt_chainlabel name; const char *version; /* Size of match data. */ size_t size; /* Size of match data relevent for userspace comparison purposes */ size_t userspacesize; /* Function which prints out usage message. */ void (*help)(void); /* Initialize the match. */ void (*init)(struct ipt_entry_match *m, unsigned int *nfcache); /* Function which parses command options; returns true if it ate an option */ int (*parse)(int c, char **argv, int invert, unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfcache, struct ipt_entry_match **match); /* Final check; exit if not ok. */ void (*final_check)(unsigned int flags); /* Prints out the match iff non-NULL: put space at end */ void (*print)(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric); /* Saves the match info in parsable form to stdout. */ void (*save)(const struct ipt_ip *ip, const struct ipt_entry_match *match); /* Pointer to list of extra command-line options */ const struct option *extra_opts; /* Ignore these men behind the curtain: */ unsigned int option_offset; struct ipt_entry_match *m; unsigned int mflags; #ifdef NO_SHARED_LIBS unsigned int loaded; /* simulate loading so options are merged properly */ #endif }; |
static struct iptables_match ipaddr = {'Name' ����ĺ�������ļ�����Ҳ���� libipt_ipaddr����
.name = "ipaddr",��һ���ֶ� 'version' �� iptables �İ汾������������ֶζ������ڱ����û�̬����ͺ���̬�����ṹ�Ĵ�Сһ���Եġ�
.version = IPTABLES_VERSION, .size = IPT_ALIGN(sizeof(struct ipt_ipaddr_info)), .userspacesize = IPT_ALIGN(sizeof(struct ipt_ipaddr_info)),'Help' ���û����� 'iptables -m module -h' ��ʱ��Ҫ���õĺ�����'Parse' ���û�����һ���¹����ʱ����õģ�������֤�����ĺϷ��ԡ�'print' ����ʹ�� 'iptables -L' ��ʱ����ʾǰ�����ӵĹ���ġ�
.help = &help, .init = &init, .parse = &parse, .final_check = &final_check, .print = &print, .save = &save, .extra_opts = opts };iptables �ܹ��ܹ�֧�ֶ�������⡣ÿ�����������ʹ�� <iptables/iptables.c> �ж���� 'register_match()' �� iptables ע�ᡣ�����������ģ�鱻 iptables ���ص�ʱ����á� ������Ϣ��ο�:'man dlopen'��
void _init(void) { register_match(&ipaddr); }
static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) { const struct ipt_ipaddr_info *info = (const struct ipt_ipaddr_info *)match->data;���Դ��ַ�ǹ����һ���ֵĻ�����ӡ����
if (info->flags & IPADDR_SRC) { if (info->flags & IPADDR_SRC_INV) printf("! "); printf("--ipsrc "); print_ipaddr((u_int32_t *)&info->ipaddr.src); }���Ŀ�ĵ�ַ�ǹ����һ���ֵĻ��ʹ�ӡĿ�ĵ�ַ��
if (info->flags & IPADDR_DST) { if (info->flags & IPADDR_DST_INV) printf("! "); printf("--ipdst "); print_ipaddr((u_int32_t *)&info->ipaddr.dst); } }
static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric) { const struct ipt_ipaddr_info *info = (const struct ipt_ipaddr_info *)match->data; if (info->flags & IPADDR_SRC) { printf("src IP "); if (info->flags & IPADDR_SRC_INV) printf("! "); print_ipaddr((u_int32_t *)&info->ipaddr.src); } if (info->flags & IPADDR_DST) { printf("dst IP "); if (info->flags & IPADDR_DST_INV) printf("! "); print_ipaddr((u_int32_t *)&info->ipaddr.dst); } }
static void final_check(unsigned int flags) { if (!flags) exit_error(PARAMETER_PROBLEM, "ipt_ipaddr: Invalid parameters."); }
static int parse(int c, char **argv, int invert, unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfcache, struct ipt_entry_match **match) {����ʹ������ṹ����������Ҫ���ݸ�����̬�������Ϣ��'match' ָ�뱻���ݸ�������������ǿ���ÿ��ʹ��ͬ�������ݽṹ��һ���������ˣ����ָ��ͱ����Ƶ��˺���̬�����ͨ�������ʽ���ں�ģ�����֪���û���Ҫ����ʲô������������Ĺؼ�������ô?����
struct ipt_ipaddr_info *info = (struct ipt_ipaddr_info *)(*match)->data;ÿ��������Ӧ��һ��������ֵ�����������ܸ��ݽ���IJ���������ȡ�����ж������������ǽ�����������ΰѲ��������ֵ��
switch(c) {���ȣ����Ǽ������Ƿ�ʹ���˶�Ρ����ʹ���˶�εĻ������� <iptables/iptables.c> �ж���� 'exit_error()' ������������������̴��� <iptables/include/iptables_common.h> �ж���� 'PARAMETER_PROBLEM' �Ĵ���״̬�Ƴ����������������ǵ�ͷ�ļ��ж���� 'IPADDR_SRC' ������ 'flags' �� 'info->flags'���Ժ����ǽ��������ͷ�ļ���
case '1': if (*flags & IPADDR_SRC) exit_error(PARAMETER_PROBLEM, "ipt_ipaddr: Only use --ipsrc once!"); *flags |= IPADDR_SRC; info->flags |= IPADDR_SRC;������ȡ����־ '!' �Ƿ���ڣ�����еĻ����� 'info->flags' ��д��Ӧ��ֵ��
if (invert) info->flags |= IPADDR_SRC_INV; parse_ipaddr(argv[optind-1], &info->ipaddr.src); break;ͬ�����ǣ����Ǽ���Ƿ���ڶ�����ã���ǡ���ı�־��
case '2': if (*flags & IPADDR_DST) exit_error(PARAMETER_PROBLEM, "ipt_ipaddr: Only use --ipdst once!"); *flags |= IPADDR_DST; info->flags |= IPADDR_DST; if (invert) info->flags |= IPADDR_DST_INV; parse_ipaddr(argv[optind-1], &info->ipaddr.dst); break; default: return 0; } return 1; }
static struct option opts[] = { { .name = "ipsrc", .has_arg = 1, .flag = 0, .val = '1' }, { .name = "ipdst", .has_arg = 1, .flag = 0, .val = '2' }, { .name = 0 } };
static void init(struct ipt_entry_match *m, unsigned int *nfcache) { /* Can't cache this */ *nfcache |= NFC_UNKNOWN; }
static void help(void) { printf ( "IPADDR v%s options:\n" "[!] --ipsrc\t\t The incoming ip addr matches.\n" "[!] --ipdst \t\t The outgoing ip addr matches.\n" "\n", IPTABLES_VERSION ); }
#ifndef _IPT_IPADDR_H #define _IPT_IPADDR_H�����Ѿ���������ʹ������Щ�ض���ֵ�ˡ�
#define IPADDR_SRC 0x01 /* Match source IP addr */ #define IPADDR_DST 0x02 /* Match destination IP addr */ #define IPADDR_SRC_INV 0x10 /* Negate the condition */ #define IPADDR_DST_INV 0x20 /* Negate the condition */�ṹ 'ipt_ipaddr_info' �ǽ�Ҫ������������̬������Ǹ����ݽṹ��
struct ipt_ipaddr { u_int32_t src, dst; }; struct ipt_ipaddr_info { struct ipt_ipaddr ipaddr; /* Flags from above */ u_int8_t flags; }; #endif
struct ipt_match { struct list_head list; const char name[IPT_FUNCTION_MAXNAMELEN]; /* Return true or false: return FALSE and set *hotdrop = 1 to force immediate packet drop. */ /* Arguments changed since 2.4, as this must now handle non-linear skbs, using skb_copy_bits and skb_ip_make_writable. */ int (*match)(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, int *hotdrop); /* Called when user tries to insert an entry of this type. */ /* Should return true or false. */ int (*checkentry)(const char *tablename, const struct ipt_ip *ip, void *matchinfo, unsigned int matchinfosize, unsigned int hook_mask); /* Called when entry of this type deleted. */ void (*destroy)(void *matchinfo, unsigned int matchinfosize); /* Set this to THIS_MODULE. */ struct module *me; };
����,���dz�ʼ�� 'ipt_match' ���ݽṹ�еij�����
static struct ipt_match ipaddr_match = {'name' �����ģ����ļ����ַ���(Ҳ����˵ ipt_ipaddr)��
.name = "ipaddr",������ֶ��ǿ�ܽ�Ҫʹ�õĻص�����.'match'�ǵ�һ�����������ģ���ʱ��Ҫ���õĺ���.
.match = match, .checkentry = checkentry, .me = THIS_MODULE, };����ں�ģ��� init ������Ҫͨ��ָ��һ�� 'struct ipt_match' ��ָ����� 'ipt_register_match()' ���� netfilter ���ע��.���������ģ�鱻���ص�ʱ�����.
static int __init init(void) { printk(KERN_INFO "ipt_ipaddr: init!\n"); return ipt_register_match(&ipaddr_match); }����ģ����ں����Ƴ���ʱ����������ᱻ����.�������ǽ��еĹ�����ע��ƥ������
static void __exit fini(void) { printk(KERN_INFO "ipt_ipaddr: exit!\n"); ipt_unregister_match(&ipaddr_match); }������������������ģ��װ����Ƴ���ʱ���á�
module_init(init); module_exit(fini);
static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, const void *hdr, u_int16_t datalen, int *hotdrop) {ϣ���㻹�����������û�̬������������Щʲô�� :)�����ڰ��û�̬�������������ݽṹӳ�䵽��������
const struct ipt_skeleton_info *info = matchinfo;'skb' ������������Ҫ�����İ�����Ҫ�õ���������� linux �� TCP/IP Э��ջ�е������ǹ���ǿ������ݽṹ����Ϣ�����Կ��� Harald Welte д��һ��ɫ������ article (ftp://ftp.gnumonks.org/pub/doc/skb-doc.html) ��
struct iphdr *iph = skb->nh.iph;������Ǿ��Ǵ�ӡһЩ��Ȥ�Ķ������������dz���ʲô���ӡ��� 'NIPQUAD' �����Կɶ��ķ�ʽ��ʾһ�� IP ��ַ�������� <linux/include/linux/kernel.h> �ж���ġ�
printk(KERN_INFO "ipt_ipaddr: IN=%s OUT=%s TOS=0x%02X " "TTL=%x SRC=%u.%u.%u.%u DST=%u.%u.%u.%u " "ID=%u IPSRC=%u.%u.%u.%u IPDST=%u.%u.%u.%u\n", in ? (char *)in : "", out ? (char *)out : "", iph->tos, iph->ttl, NIPQUAD(iph->saddr), NIPQUAD(iph->daddr), ntohs(iph->id), NIPQUAD(info->ipaddr.src), NIPQUAD(info->ipaddr.dst) );��������� '--ipsrc' ���������Dz쿴Դ��ַ�Ƿ����ָ���ĵ�ַ��ƥ�䡣�����˿��Ƿ���־ '!'�����û��ƥ�䣬���Ƿ��� 0.
if (info->flags & IPADDR_SRC) { if ( (ntohl(iph->saddr) != ntohl(info->ipaddr.src)) ^ !!(info->flags & IPADDR_SRC_INV) ) { printk(KERN_NOTICE "src IP %u.%u.%u.%u is not matching %s.\n", NIPQUAD(info->ipaddr.src), info->flags & IPADDR_SRC_INV ? " (INV)" : ""); return 0; } }������ǽ�����ȫ��ͬ�Ĺ�����ֻ�Dz쿴 '--ipdst' ������
if (info->flags & IPADDR_DST) { if ( (ntohl(iph->daddr) != ntohl(info->ipaddr.dst)) ^ !!(info->flags & IPADDR_DST_INV) ) { printk(KERN_NOTICE "dst IP %u.%u.%u.%u is not matching%s.\n", NIPQUAD(info->ipaddr.dst), info->flags & IPADDR_DST_INV ? " (INV)" : ""); return 0; } }��������ɹ������� 1����������ƥ�����������
return 1; }
static int checkentry(const char *tablename, const struct ipt_ip *ip, void *matchinfo, unsigned int matchsize, unsigned int hook_mask) { const struct ipt_skeleton_info *info = matchinfo; if (matchsize != IPT_ALIGN(sizeof(struct ipt_skeleton_info))) { printk(KERN_ERR "ipt_skeleton: matchsize differ, you may have forgotten to recompile me.\n"); return 0; } printk(KERN_INFO "ipt_skeleton: Registered in the %s table, hook=%x, proto=%u\n", tablename, hook_mask, ip->proto); return 1; }
PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit ipaddr mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
# The simple matches. dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES dep_tristate ' ipaddr match support' CONFIG_IP_NF_MATCH_IPADDR $CONFIG_IP_NF_IPTABLESȻ�༭ <linux/Documentation/Configure.help> ������ص��С��Ҹ�����һЩ�ı����������ҵ�Ҫ�������ݵĵط���
limit match support CONFIG_IP_NF_MATCH_LIMIT limit matching allows you to control the rate at which a rule can be ... ipaddr match support CONFIG_IP_NF_MATCH_IPADDR ipaddr matching. etc etc.��������Ѽ��ص��м��뵽 <linux/net/ipv4/netfilter/Makefile> ֮�С�
# matches obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o obj-$(CONFIG_IP_NF_MATCH_IPADDR) += ipt_ipaddr.oNow for 2.6, files to edit are <linux/net/ipv4/netfilter/Kconfig> and <linux/net/ipv4/netfilter/Makefile>. �� 2.6 �ںˣ��༭���ļ�Ӧ���� <linux/net/ipv4/netfilter/Kconfig>�� <linux/net/ipv4/netfilter/Makefile>��