static int __init rawpost4_table_init(void)
{
int ret;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
rwlock_init(&rawpost4_itable.lock);
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
&rawpost4_initial.repl);
if (IS_ERR(rawpost4_ptable))
return PTR_ERR(rawpost4_ptable);
#else
ret = ipt_register_table(&rawpost4_itable, &rawpost4_initial.repl);
if (ret < 0)
return ret;
rawpost4_ptable = &rawpost4_itable;
#endif
ret = nf_register_hook(&rawpost4_hook_ops);
if (ret < 0)
goto out;
return ret;
out:
ipt_unregister_table(rawpost4_ptable);
return ret;
}
static int __init iptable_filter_init(void)
{
int ret;
if (forward < 0 || forward > NF_MAX_VERDICT) {
printk("iptables forward must be 0 or 1\n");
return -EINVAL;
}
/* Entry 1 is the FORWARD hook */
initial_table.entries[1].target.verdict = -forward - 1;
/* Register table */
ret = ipt_register_table(&packet_filter, &initial_table.repl);
if (ret < 0)
return ret;
/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0)
goto cleanup_table;
return ret;
cleanup_table:
ipt_unregister_table(&packet_filter);
return ret;
}
static int __init init(void)
{
int ret;
/* Register table */
ret = ipt_register_table(&packet_raw, &initial_table.repl);
if (ret < 0)
return ret;
/* Register hooks */
ret = nf_register_hook(&ipt_ops[0]);
if (ret < 0)
goto cleanup_table;
ret = nf_register_hook(&ipt_ops[1]);
if (ret < 0)
goto cleanup_hook0;
return ret;
cleanup_hook0:
nf_unregister_hook(&ipt_ops[0]);
cleanup_table:
ipt_unregister_table(&packet_raw);
return ret;
}
int __init nf_nat_rule_init(void)
{
int ret;
nat_table = ipt_register_table(&init_net, &__nat_table,
&nat_initial_table.repl);
if (IS_ERR(nat_table))
return PTR_ERR(nat_table);
ret = xt_register_target(&ipt_snat_reg);
if (ret != 0)
goto unregister_table;
ret = xt_register_target(&ipt_dnat_reg);
if (ret != 0)
goto unregister_snat;
return ret;
unregister_snat:
xt_unregister_target(&ipt_snat_reg);
unregister_table:
ipt_unregister_table(nat_table);
return ret;
}
static int __net_init nf_nat_rule_net_init(struct net *net)
{
net->ipv4.nat_table = ipt_register_table(net, &nat_table,
&nat_initial_table.repl);
if (IS_ERR(net->ipv4.nat_table))
return PTR_ERR(net->ipv4.nat_table);
return 0;
}
static int __net_init iptable_mangle_net_init(struct net *net)
{
net->ipv4.iptable_mangle =
ipt_register_table(net, &packet_mangler, &initial_table.repl);
if (IS_ERR(net->ipv4.iptable_mangle))
return PTR_ERR(net->ipv4.iptable_mangle);
return 0;
}
static int __net_init iptable_raw_net_init(struct net *net)
{
/* Register table */
net->ipv4.iptable_raw =
ipt_register_table(net, &packet_raw, &initial_table.repl);
if (IS_ERR(net->ipv4.iptable_raw))
return PTR_ERR(net->ipv4.iptable_raw);
return 0;
}
static int __net_init iptable_security_net_init(struct net *net)
{
net->ipv4.iptable_security =
ipt_register_table(net, &security_table, &initial_table.repl);
if (IS_ERR(net->ipv4.iptable_security))
return PTR_ERR(net->ipv4.iptable_security);
return 0;
}
static int __net_init iptable_nat_net_init(struct net *net)
{
struct ipt_replace *repl;
repl = ipt_alloc_initial_table(&nf_nat_ipv4_table);
if (repl == NULL)
return -ENOMEM;
net->ipv4.nat_table = ipt_register_table(net, &nf_nat_ipv4_table, repl);
kfree(repl);
return PTR_RET(net->ipv4.nat_table);
}
static int __net_init iptable_security_net_init(struct net *net)
{
struct ipt_replace *repl;
repl = ipt_alloc_initial_table(&security_table);
if (repl == NULL)
return -ENOMEM;
net->ipv4.iptable_security =
ipt_register_table(net, &security_table, repl);
kfree(repl);
return PTR_RET(net->ipv4.iptable_security);
}
static int __net_init iptable_mangle_net_init(struct net *net)
{
struct ipt_replace *repl;
repl = ipt_alloc_initial_table(&packet_mangler);
if (repl == NULL)
return -ENOMEM;
net->ipv4.iptable_mangle =
ipt_register_table(net, &packet_mangler, repl);
kfree(repl);
return PTR_RET(net->ipv4.iptable_mangle);
}
static int __net_init iptable_raw_net_init(struct net *net)
{
struct ipt_replace *repl;
repl = ipt_alloc_initial_table(&packet_raw);
if (repl == NULL)
return -ENOMEM;
net->ipv4.iptable_raw =
ipt_register_table(net, &packet_raw, repl);
kfree(repl);
return PTR_ERR_OR_ZERO(net->ipv4.iptable_raw);
}
static int __net_init iptable_filter_net_init(struct net *net)
{
if (!net_ipt_permitted(net, VE_IP_FILTER))
return 0;
/* Register table */
net->ipv4.iptable_filter =
ipt_register_table(net, &packet_filter, &initial_table.repl);
if (IS_ERR(net->ipv4.iptable_filter))
return PTR_ERR(net->ipv4.iptable_filter);
net_ipt_module_set(net, VE_IP_FILTER);
return 0;
}
static int __net_init nf_nat_rule_net_init(struct net *net)
{
if (!net_ipt_permitted(net, VE_IP_IPTABLE_NAT))
return 0;
net->ipv4.nat_table = ipt_register_table(net, &nat_table,
&nat_initial_table.repl);
if (IS_ERR(net->ipv4.nat_table))
return PTR_ERR(net->ipv4.nat_table);
net_ipt_module_set(net, VE_IP_IPTABLE_NAT);
return 0;
}
static int __net_init iptable_security_table_init(struct net *net)
{
struct ipt_replace *repl;
int ret;
if (net->ipv4.iptable_security)
return 0;
repl = ipt_alloc_initial_table(&security_table);
if (repl == NULL)
return -ENOMEM;
ret = ipt_register_table(net, &security_table, repl, sectbl_ops,
&net->ipv4.iptable_security);
kfree(repl);
return ret;
}
static int __net_init iptable_mangle_table_init(struct net *net)
{
struct ipt_replace *repl;
int ret;
if (net->ipv4.iptable_mangle)
return 0;
repl = ipt_alloc_initial_table(&packet_mangler);
if (repl == NULL)
return -ENOMEM;
ret = ipt_register_table(net, &packet_mangler, repl, mangle_ops,
&net->ipv4.iptable_mangle);
kfree(repl);
return ret;
}
static int __net_init iptable_filter_net_init(struct net *net)
{
/* Register table */
// 注册过滤表。Netfilter在内核中为防火墙系统维护了一个结构体,该结构体中存储的是内核中
// 当前可用的所有match、target和table,它们都是以双向链表的形式被组织起来的。
// 这个全局的结构体变量是static struct xt_af *xt
// ipt_register_table所做的事情就是从模板initial_table变量的repl成员里取出初始化数据,
// 然后申请一块内存并用repl里的值来初始化它,之后,将这块内存的首地址赋给packet filter表
// 的private成员,最后将packet filter挂载到xt[2].tables的双向链表中
net->ipv4.iptable_filter =
ipt_register_table(net, &packet_filter, &initial_table.repl);
if (IS_ERR(net->ipv4.iptable_filter))
return PTR_ERR(net->ipv4.iptable_filter);
return 0;
}
static int __net_init iptable_filter_net_init(struct net *net)
{
struct ipt_replace *repl;
repl = ipt_alloc_initial_table(&packet_filter);
if (repl == NULL)
return -ENOMEM;
/* Entry 1 is the FORWARD hook */
((struct ipt_standard *)repl->entries)[1].target.verdict =
forward ? -NF_ACCEPT - 1 : -NF_DROP - 1;
net->ipv4.iptable_filter =
ipt_register_table(net, &packet_filter, repl);
kfree(repl);
return PTR_RET(net->ipv4.iptable_filter);
}
static int __init iptable_raw_init(void)
{
int ret;
/* Register table */
ret = ipt_register_table(&packet_raw, &initial_table.repl);
if (ret < 0)
return ret;
/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0) {
ipt_unregister_table(&packet_raw);
}
return ret;
}
static int __init iptable_mangle_init(void)
{
int ret;
/* Register table */
ret = ipt_register_table(&packet_mangler, &initial_table.repl);
if (ret < 0)
return ret;
/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0)
goto cleanup_table;
return ret;
cleanup_table:
ipt_unregister_table(&packet_mangler);
return ret;
}
int __init nf_nat_rule_init(void)
{
int ret;
ret = ipt_register_table(&nat_table, &nat_initial_table.repl);
if (ret != 0)
return ret;
ret = xt_register_target(&ipt_snat_reg);
if (ret != 0)
goto unregister_table;
ret = xt_register_target(&ipt_dnat_reg);
if (ret != 0)
goto unregister_snat;
return ret;
unregister_snat:
xt_unregister_target(&ipt_snat_reg);
unregister_table:
ipt_unregister_table(&nat_table);
return ret;
}
