linux学习笔记.docx

1、linux学习笔记Linux下修改主机名 1、修改/etc/hosts 添加 192.168.0.1 area 2、修改/etc/sysconfig/network HOSTNAME=area 3、执行命令 hostname=zjq 4、退出终端，然后重新登录即可升效Linux下NAT功能的实现本文档的Copyleft归yfydz所有，使用GPL发布，可以自由拷贝、转载，转载时请保持文档的完整性，严禁用于任何商业用途。msn: yfydz_no1来源: 1. 前言在2.4/2.6内核的Linux中的防火墙代码netfilter中支持源NAT(SNAT)和目的NAT(DNAT)，基本可以满足各种

2、类型的NAT需求，本文介绍Linux下的NAT的具体实现过程，所引的内核代码版本2.4.26，NAT原理部分不在此介绍，有兴趣者可先看我的另一篇NAT原理介绍的文章。2. NAT hookNAT操作也是以netfilter节点形式挂接在相应的处理点上的，DNAT挂接在NF_IP_PRE_ROUTING点上，优先级高于FILTER低于MANGLE，表示在mangle表后处理，但在filter表前处理数据包；SNAT挂接在NF_IP_POST_ROUTING点上，优先级低于FILTER，表示在filter表后面处理数据包。在net/ipv4/netfilter/ip_nat_standalone.

3、c中：目的NAT的hook节点：/* Before packet filtering, change destination */static struct nf_hook_ops ip_nat_in_ops= NULL, NULL , ip_nat_fn, PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_NAT_DST ;源NAT的hook节点：/* After packet filtering, change source */static struct nf_hook_ops ip_nat_out_ops= NULL, NULL , ip_nat_out, P

4、F_INET, NF_IP_POST_ROUTING, NF_IP_PRI_NAT_SRC;include/linux/netfilter_ipv4.henum nf_ip_hook_priorities NF_IP_PRI_FIRST = INT_MIN,NF_IP_PRI_CONNTRACK = -200, / 连接跟踪NF_IP_PRI_MANGLE = -150, / mangle tableNF_IP_PRI_NAT_DST = -100, / DNATNF_IP_PRI_FILTER = 0, / filter tableNF_IP_PRI_NAT_SRC = 100, / SNA

5、TNF_IP_PRI_LAST = INT_MAX,;ip_nat_fn()是NAT hook的主处理函数，ip_nat_out()函数也是在数据合法性检查后调用ip_nat_fn()函数。3. NAT处理相关结构在状态连接结构struct ip_conntrack中包含了关于NAT的相关结构(include/linux/netfilter/ip_conntrack.h)：struct ip_conntrack.#ifdef CONFIG_IP_NF_NAT_NEEDEDstruct struct ip_nat_info info;union ip_conntrack_nat_help hel

6、p;#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) | defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)int masq_index;#endif nat;#endif /* CONFIG_IP_NF_NAT_NEEDED */;其中比较重要的是struct ip_nat_info结构，而union ip_conntrack_nat_help是各协议NAT时需要特殊处理的结构描述，不过在2.4.26内核中都没定义，联合为空。#define IP_NAT_MAX_MANIPS (2*3)/ 此结构描述数据包中要修

7、改部分的信息struct ip_nat_info_manip/* The direction. */u_int8_t direction;/* Which hook the manipulation happens on. */u_int8_t hooknum;/* The manipulation type. */u_int8_t maniptype; / 修改类型: SNAT / DNAT/ 连接的数据包要修改的信息,包括地址和上层的协议信息/* Manipulations to occur at each conntrack in this dirn. */struct ip_connt

8、rack_manip manip;/* The structure embedded in the conntrack structure. */struct ip_nat_info/* Set to zero when conntrack created: bitmask of maniptypes */int initialized; / 实际最多用两位unsigned int num_manips;/* Manipulations to be done on this conntrack. */ 每个最多可以记录6个NAT信息struct ip_nat_info_manip manips

9、IP_NAT_MAX_MANIPS;struct ip_nat_hash bysource, byipsproto; / 按地址和协议的HASH表/* Helper (NULL if none). */struct ip_nat_helper *helper; / 多连接协议的NAT时的helperstruct ip_nat_seq seqIP_CT_DIR_MAX; / 描述两个方向的序列号变化情况;4. ip_nat_fn()函数ip_nat_fn()是NAT hook的基本处理函数(net/ipv4/netfilter/ip_nat_standalone.c),目的是建立连接的NAT i

10、nfo信息, 并修改数据包中的相应部分。static unsigned intip_nat_fn(unsigned int hooknum, struct sk_buff *pskb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)struct ip_conntrack *ct;enum ip_conntrack_info ctinfo;struct ip_nat_info *info;/* maniptype = SRC for postrouting. */ 根

11、据hooknum来确定进行哪种方式的NAT，netfilter在hook点是能进行哪种NAT是固定的：/ NF_IP_PRE_ROUTING点进行的是DNAT，maniptype=1/ NF_IP_POST_ROUTING点进行的是SNAT，maniptype=0enum ip_nat_manip_type maniptype = HOOK2MANIP(hooknum);/* We never see fragments: conntrack defrags on pre-routing and local-out, and ip_nat_out protects post-routing.

12、*/IP_NF_ASSERT(!(*pskb)-nh.iph-frag_off & htons(IP_MF|IP_OFFSET);(*pskb)-nfcache |= NFC_UNKNOWN;/* If we had a hardware checksum before, its now invalid */if (*pskb)-ip_summed = CHECKSUM_HW)(*pskb)-ip_summed = CHECKSUM_NONE;/ 进行NAT的包必须都经过的连接跟踪处理，如果找不到该包对应的连接，不对其进行NAT处理/ 连接跟踪优先级最高，是数据包一进入netfilter就要进

13、行处理的ct = ip_conntrack_get(*pskb, &ctinfo);/* Cant track? Its not due to stress, or conntrack would have dropped it. Hence its the users responsibilty to packet filter it out, or implement conntrack/NAT for that protocol. 8) -RR */if (!ct) /* Exception: ICMP redirect to new connection (not in hash ta

14、ble yet). We must not let this through, in case were doing NAT to the same network. */struct iphdr *iph = (*pskb)-nh.iph;struct icmphdr *hdr = (struct icmphdr *) (u_int32_t *)iph + iph-ihl);if (iph-protocol = IPPROTO_ICMP & hdr-type = ICMP_REDIRECT) return NF_DROP;return NF_ACCEPT;switch (ctinfo) /对

15、于相关连接、相关连接的回复、新连接的包进行NAT信息的构建case IP_CT_RELATED:case IP_CT_RELATED+IP_CT_IS_REPLY:if (*pskb)-nh.iph-protocol = IPPROTO_ICMP) return icmp_reply_translation(*pskb, ct, hooknum, CTINFO2DIR(ctinfo);/* Fall thru. (Only ICMPs can be IP_CT_IS_REPLY) */case IP_CT_NEW:info = &ct-nat.info;WRITE_LOCK(&ip_nat_l

16、ock);/* Seen it before? This can happen for loopback, retrans, or local packets. */ 检查是否已经进行相应方向的初始化,注意初始化可以是两个方向同时进行的/ 这就是说一个数据包可以同时修改源和目的, 这在服务器和内网在相同网段时会用到,/ netfilter已经能自动处理这种情况,根本不需要进行修改,以前我的理解有误，以为/ 只能修改一个方向的数据if (!(info-initialized & (1 local traffic with * CONFIG_IP_NF_NAT_LOCAL disabled. */

17、 & !(ct-status & IPS_CONFIRMED)#endif ) unsigned int ret; if (ct-master & master_ct(ct)-nat.info.helper & master_ct(ct)-nat.info.helper-expect) / 多连接协议情况, 如果是子连接, 调用主连接相关的expect函数处理填写NAT info信息 ret = call_expect(master_ct(ct), pskb, hooknum, ct, info); else #ifdef CONFIG_IP_NF_NAT_LOCAL /* LOCAL_IN

18、hook doesnt have a chain! */ if (hooknum = NF_IP_LOCAL_IN) ret = alloc_null_binding(ct, info, hooknum); else#endif/ 否则根据NAT规则表查找规则, 执行规则的动作: SNAT或DNAT, 填写NAT info信息 ret = ip_nat_rule_find(pskb, hooknum, in, out, ct, info); / 返回值不是接受的话直接返回, 数据包将被丢弃 if (ret != NF_ACCEPT) WRITE_UNLOCK(&ip_nat_lock); re

19、turn ret; else DEBUGP(Already setup manip %s for ct %pn, maniptype = IP_NAT_MANIP_SRC ? SRC : DST, ct);WRITE_UNLOCK(&ip_nat_lock);break;default:/ 连接的NAT信息已经填好, 直接使用/* ESTABLISHED */IP_NF_ASSERT(ctinfo = IP_CT_ESTABLISHED | ctinfo = (IP_CT_ESTABLISHED+IP_CT_IS_REPLY);info = &ct-nat.info;IP_NF_ASSERT(

20、info);/ 根据NAT info信息对数据包的相应部分进行修改return do_bindings(ct, ctinfo, info, hooknum, pskb);4. do_bindings()函数do_bindings()是完成具体的NAT操作部分的函数(net/ipv4/netfilter/ip_nat_core.c)，修改地址端口等信息，必要时修改数据内容部分信息(这种情况下可能数据包长度会变，序列号/确认号相应会改变，这些都累计进NAT info参数中)，并重新各种校验和(TCP/UDP/ICMP校验和，IP头校验和):/* Do packet manipulations ac

21、cording to binding. */unsigned intdo_bindings(struct ip_conntrack *ct, enum ip_conntrack_info ctinfo, struct ip_nat_info *info, unsigned int hooknum, struct sk_buff *pskb)unsigned int i;struct ip_nat_helper *helper;/ 数据方向：original or replyenum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);/ 是否是TCP协议，TCP

22、协议要处理序列号/确认号int is_tcp = (*pskb)-nh.iph-protocol = IPPROTO_TCP;/* Need nat lock to protect against modification, but neither conntrack (referenced) and helper (deleted with synchronize_bh() can vanish. */READ_LOCK(&ip_nat_lock);for (i = 0; i num_manips; i+) /* raw socket (tcpdump) may have clone of

23、incoming skb: dont disturb it -RR */if (skb_cloned(*pskb) & !(*pskb)-sk) struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC); if (!nskb) READ_UNLOCK(&ip_nat_lock); return NF_DROP; kfree_skb(*pskb); *pskb = nskb;/ 检查数据包方向和hooknum是否是与NAT info中规定的一致if (info-manipsi.direction = dir & info-manipsi.hooknum

24、 = hooknum) DEBUGP(Mangling %p: %s to %u.%u.%u.%u %un, *pskb, info-manipsi.maniptype = IP_NAT_MANIP_SRC ? SRC : DST, NIPQUAD(info-manipsi.manip.ip), htons(info-manipsi.manip.u.all);/ 进行具体的NAT操作，修改IP头的地址、TCP、UDP等的端口 manip_pkt(*pskb)-nh.iph-protocol, (*pskb)-nh.iph, (*pskb)-len, &info-manipsi.manip, i

25、nfo-manipsi.maniptype, &(*pskb)-nfcache);helper = info-helper;READ_UNLOCK(&ip_nat_lock);/ 多连接协议if (helper) struct ip_conntrack_expect *exp = NULL;struct list_head *cur_item;int ret = NF_ACCEPT;int helper_called = 0;DEBUGP(do_bindings: helper existing for (%p)n, ct);/* Always defragged for helpers */

26、IP_NF_ASSERT(!(*pskb)-nh.iph-frag_off & htons(IP_MF|IP_OFFSET);/* Have to grab read lock before sibling_list traversal */READ_LOCK(&ip_conntrack_lock);/ 主连接的子连接链表是倒着搜索的list_for_each_prev(cur_item, &ct-sibling_list) / 取得期待的连接信息 exp = list_entry(cur_item, struct ip_conntrack_expect, expected_list); /*

27、 if this expectation is already established, skip */ 期待的子连接已经到了，不用再处理 if (exp-sibling) continue;/ 检查数据包是否是要修改的数据包，对于UDP、ICMP函数返回始终是1，TCP协议是才可能返回0 if (exp_for_packet(exp, pskb) /* FIXME: May be true multiple times in the * case of UDP! */ DEBUGP(calling nat helper (exp=%p) for packetn, exp);/ 调用多连接协议

28、的help函数修改内容部分的相关数据 ret = helper-help(ct, exp, info, ctinfo, hooknum, pskb); if (ret != NF_ACCEPT) READ_UNLOCK(&ip_conntrack_lock); return ret; helper_called = 1; /* Helper might want to manip the packet even when there is no * matching expectation for this packet */if (!helper_called & helper-flags & IP_NAT_HELPER_F_ALWAYS) DEBUGP(calling nat helper for packet without expectati