linux防火墙实现技术比较

核心提示： __u16 fw_outputsize; /* Max amount to output toNETLINK */char fw_vianame[IFNAMSIZ]; /* name of interface "via" */__u8 fw_tosand, fw_tos

__u16 fw_outputsize; /* Max amount to output to

NETLINK */

char fw_vianame[IFNAMSIZ]; /* name of interface "via" */

__u8 fw_tosand, fw_tosxor; /* Revised packet priority */

};

2.2内核中网络包与规则的实际匹配在ip_fw_check中进行。

4.2 iptables

一条规则分为三部分：

struct ipt_entry file://主要用来匹配IP头

struct ip_match file://额外的匹配（tcp头，mac地址等）

struct ip_target file://除缺省的动作外（如ACCEPT，DROP），可以增加新的（如REJECT）。

man iptable:

>A firewall rule specifies criteria for a packet, and a

>target. If the packet does not match, the next rule in

>the chain is the examined; if it does match, then the next

>rule is specified by the value of the target, which can be

>the name of a user-defined chain, or one of the special

>values ACCEPT, DROP, QUEUE, or RETURN.

2.4内核中网络包与规则的实际匹配在ip_do_table中进行。这段代码的流程在

netfilter hacking howto 4.1.3描述的非常清楚。

简化代码如下：

/* Returns one of the generic firewall policies, like NF_ACCEPT. */

unsigned int

ipt_do_table(struct sk_buff **pskb,

unsigned int hook,

const struct net_device *in,

const struct net_device *out,

struct ipt_table *table,

void *userdata)

{

struct ipt_entry *e;

struct ipt_entry_target *t;