Reputation: 125
Can multiple kernel modules use the same netfilter hook without affecting each other?
I'm developing a kernel module that will use netfilter hooks to mangle/filter packets in various ways, however in doing so I would like to avoid bypassing anything else using that hook (such as iptables), so that my module doesn't interfere with the regular operation of them. My research thus far hasn't yielded any information on how multiple services/modules accessing the same hook would interact.
Is this possible (perhaps it already happens automatically), and if so, can I set the order in which services/modules are triggered by the hook?
Upvotes: 1
Views: 839
Answers (1)
Reputation: 1267
As you know, the hooks are just places in the TCP/IP stack that you can insert some functions to do whatever with the skbs. Each function usually return one of the following (see include/uapi/linux/netfilter.h)
- NF_DROP ----- This is the end of this skb. Drop this skb and do not pass it to rest of hooks (and of course higher layers).
- NF_ACCEPT -- I am done with this skb, forward the skb to the next hook
- NF_STOLEN -- I hijacked this skb (the module queued the skb for later processing)
IPtables uses these hooks to implement the required firewall rules. You can of course exist with IPtables (and any other hooks), but if for some reason your function is called before IPtables hooks and returns NF_DROP, the skb will not be forwarded to IPtables. On the other hand, if you always return NF_ACCEPT, then IPtables and other hooks in the system will not be affected at all.
As for the order of the hooks, the following priorities are used when the netfilter system traverses the hooks (from include/uapi/linux/netfilter_ipv4.h):
enum nf_ip_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_CONNTRACK_DEFRAG = -400,
NF_IP_PRI_RAW = -300,
NF_IP_PRI_SELINUX_FIRST = -225,
NF_IP_PRI_CONNTRACK = -200,
NF_IP_PRI_MANGLE = -150,
NF_IP_PRI_NAT_DST = -100,
NF_IP_PRI_FILTER = 0,
NF_IP_PRI_SECURITY = 50,
NF_IP_PRI_NAT_SRC = 100,
NF_IP_PRI_SELINUX_LAST = 225,
NF_IP_PRI_CONNTRACK_HELPER = 300,
NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
NF_IP_PRI_LAST = INT_MAX,};
This means that IPtables mangle table hooks will be executed before FILTER hooks. You can use any of these values or your own when you register with nf_register_hooks().
Upvotes: 3
Related Questions
- Netfilter hooks on multi-core system
- Capture all packages in kernel module with netfilter hooks after v4.13.x
- What is the correct way to define a Netfilter hook function?
- Packet Processing in NetFilter Hooks ?
- NetFilterHook: Displaly Interface Name
- Netfilter hook registration with networking sub system
- Linux module for modify packets(Netfilter)
- Netfiler hook not getting called
- Netfilter in Kernel Module causes my system to crash
- Some question about kernel object