Chapter 12: Networks
NPROTOspecifies the maximum number of protocol families supported by the system (currently
34). Symbolic constants for the individual families arePF_INETandPF_DECnet; these are stored in
include/linux/socket.h. It is possible to defineNF_MAX_HOOKSlists with hooks for each protocol; the
default is 8.
Thelist_headelements of the table are used as list heads for a doubly linked list that accepts
nf_hook_opsinstances:
<netfilter.h>
struct nf_hook_ops
{
struct list_head list;
/* User fills in from here down. */
nf_hookfn *hook;
struct module *owner;
int pf;
int hooknum;
/* Hooks are ordered in ascending priority. */
int priority;
};
In addition to the standard elements (listfor linking the structure in a doubly linked list, andowneras
a pointer to the module data structure of the owner module if the hook is implemented modularly), there
are other elements with the following meanings:
❑ hookis a pointer to the hook function that requires the same arguments as theNF_HOOKmacro:
<netfilter.h>
typedef unsigned int nf_hookfn(unsigned int hooknum,
struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *));
❑ pfandhooknumspecify the protocol family and the number associated with the hook. This infor-
mation could also be derived from the position of the hook list innf_hooks.
❑ The hooks in a list are sorted in ascending priority (indicated bypriority). The fullsigned int
range can be used to indicate the priority, but a number of preferred defaults are defined:
<netfilter_ipv4.h>
enum nf_ip_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_CONNTRACK_DEFRAG = -400,
NF_IP_PRI_RAW = -300,
NF_IP_PRI_SELINUX_FIRST = -225,
NF_IP_PRI_CONNTRACK = -200,
NF_IP_PRI_MANGLE = -150,
NF_IP_PRI_NAT_DST = -100,
NF_IP_PRI_FILTER = 0,
NF_IP_PRI_NAT_SRC = 100,
NF_IP_PRI_SELINUX_LAST = 225,
NF_IP_PRI_CONNTRACK_HELPER = INT_MAX - 2,
