Reputation: 1138
What is the correct way to define a Netfilter hook function?
I'm coding a kernel module (more specifically, a Netfilter module) for Linux. I'm trying to make it compatible with a wide range of kernels, but the entry function is giving me trouble.
From LXR, I can see that the nf_hookfn typedef changed in kernel 3.13.
typedef unsigned int nf_hookfn(unsigned int hooknum, (...));
typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops, (...));
However, we have a Red Hat machine claiming to be using kernel 3.10.0-123.4.4.el7.x86_64, yet its netlink.h reads
typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops, (...));
as if it were 3.13+ code.
It's causing warnings on my module because it completely trainwrecks my attempt to define the function differently based on kernel version:
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0)
#define HOOK_ARG_TYPE const struct nf_hook_ops *
#else
#define HOOK_ARG_TYPE unsigned int
#endif
What piece of documentation did I miss? Nothing ever suggested to me that kernel API depends on BOTH kernel version AND distro, and it makes no sense.
And more to the point, how can I fix this? nf_hookfn is a typedef, not a macro, so I can't just drop it on my function definition.
One thing that might make things easier is that I never use that one argument.
Surely I'm not the first person ever experiencing this? I mean nf_hookfn is the entry point for any Netfilter module; you'd think they broke thousands of drivers by changing it.
Upvotes: 3
Views: 3533
Answers (2)
Reputation: 1138
In the end I just made an entire module dedicated to this:
/**
* The kernel API is far from static. In particular, the Netfilter packet entry
* function keeps changing. nf_hook.c, the file where we declare our packet
* entry function, has been quite difficult to read for a while now. It's pretty
* amusing, because we don't even use any of the noisy arguments.
*
* This file declares a usable function header that abstracts away all those
* useless arguments.
*/
#include <linux/version.h>
/* If this is a Red Hat-based kernel (Red Hat, CentOS, Fedora, etc)... */
#ifdef RHEL_RELEASE_CODE
#if RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(7, 2)
#define NF_CALLBACK(name, skb) unsigned int name( \
const struct nf_hook_ops *ops, \
struct sk_buff *skb, \
const struct net_device *in, \
const struct net_device *out, \
const struct nf_hook_state *state) \
#elif RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(7, 0)
#define NF_CALLBACK(name, skb) unsigned int name( \
const struct nf_hook_ops *ops, \
struct sk_buff *skb, \
const struct net_device *in, \
const struct net_device *out, \
int (*okfn)(struct sk_buff *))
#else
/*
* Sorry, I don't have headers for RHEL 6 and below because I'm in a bit of a
* deadline right now.
* If this is causing you trouble, find `nf_hookfn` in your kernel headers
* (typically in include/linux/netfilter.h) and add your version of the
* NF_CALLBACK macro here.
* Also, kernel headers per version can be found here: http://vault.centos.org/
*/
#error "Sorry; this version of RHEL is not supported because it's kind of old."
#endif /* RHEL_RELEASE_CODE >= x */
/* If this NOT a RedHat-based kernel (Ubuntu, Debian, SuSE, etc)... */
#else
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
#define NF_CALLBACK(name, skb) unsigned int name( \
void *priv, \
struct sk_buff *skb, \
const struct nf_hook_state *state)
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
#define NF_CALLBACK(name, skb) unsigned int name( \
const struct nf_hook_ops *ops, \
struct sk_buff *skb, \
const struct nf_hook_state *state)
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0)
#define NF_CALLBACK(name, skb) unsigned int name( \
const struct nf_hook_ops *ops, \
struct sk_buff *skb, \
const struct net_device *in, \
const struct net_device *out, \
int (*okfn)(struct sk_buff *))
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 0, 0)
#define NF_CALLBACK(name, skb) unsigned int name( \
unsigned int hooknum, \
struct sk_buff *skb, \
const struct net_device *in, \
const struct net_device *out, \
int (*okfn)(struct sk_buff *))
#else
#error "Linux < 3.0 isn't supported at all."
#endif /* LINUX_VERSION_CODE > n */
#endif /* RHEL or not RHEL */
So instead of this:
static unsigned int function_name((...), struct sk_buff *skb, (...))
{
return do_something_with_skb(skb);
}
Do this:
static NF_CALLBACK(function_name, skb)
{
return do_something_with_skb(skb);
}
Upvotes: 3
Reputation: 6784
Its possibly that you are using a ko, which is compiled for the newer version of the kernel. If the module is not being shipped as a RH, then you may need to work with vendor to get this resolved.
Upvotes: 1
Related Questions
- Netfilter hook stateful connection packet filtering
- netfilter hook is not retrieving complete packet
- netfilter incoming hook: struct tcphdr -> dest pointer does not point to the correct location?
- Packet Processing in NetFilter Hooks ?
- NetFilterHook: Displaly Interface Name
- Netfilter hook registration with networking sub system
- Can multiple kernel modules use the same netfilter hook without affecting each other?
- How to echo a packet in kernel space using netfilter hooks?
- Netfiler hook not getting called
- Extending packet header from within a Netfilter hook