Re: order of HOOK functions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I should have done some more google , before asking simple questions like this .

enum nf_ip_hook_priorities {
        NF_IP_PRI_FIRST = INT_MIN,
        NF_IP_PRI_CONNTRACK_DEFRAG = -400,
        NF_IP_PRI_RAW = -300,
        NF_IP_PRI_SELINUX_FIRST = -225,
        NF_IP_PRI_CONNTRACK = -200,
        NF_IP_PRI_MANGLE = -150,
        NF_IP_PRI_NAT_DST = -100,
        NF_IP_PRI_FILTER = 0,
        NF_IP_PRI_SECURITY = 50,
        NF_IP_PRI_NAT_SRC = 100,
        NF_IP_PRI_SELINUX_LAST = 225,
        NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
        NF_IP_PRI_LAST = INT_MAX,
};


Thanks,
Ratheesh.

On Tue, Mar 23, 2010 at 9:43 PM, ratheesh k <ratheesh.ksz@xxxxxxxxx> wrote:
> On Tue, Mar 23, 2010 at 9:41 PM, ratheesh k <ratheesh.ksz@xxxxxxxxx> wrote:
>> I have a rule
>>
>> R1------>  iptables -A FORWARD  -j ACCEPT  -
>>
>> After applying  the above rule , i executed the below program
>>
>>
>> ********************************************************************************************************
>> /* copied from http://sts.synflood.de/dump/doc/p61-0x0d_Hacking_the_Linux_Kernel_Network_Stack.txt
>> */
>>
>>
>>   /* Initialisation routine */
>>          int init_module()
>>          {
>>              /* Fill in our hook structure */
>>              nfho.hook     = hook_func;
>>              /* Handler function */
>>              nfho.hooknum  = NF_IP_PRE_ROUTING; /* First for IPv4 */
>>              nfho.pf       = PF_INET;
>>              nfho.priority = NF_IP_PRI_FIRST;   /* Make our func first */
>>
>>              nf_register_hook(&nfho);
>>
>>              return 0;
>>          }
>>
>> /* This is the hook function itself */
>> unsigned int hook_func(unsigned int hooknum,
>>                       struct sk_buff **skb,
>>                       const struct net_device *in,
>>                       const struct net_device *out,
>>                       int (*okfn)(struct sk_buff *))
>> {
>>    return NF_DROP;           /* Drop ALL packets */
>> }
>>
>> ******************************************************************************************************************************
>> I executed below rule - R2   .
>>
>> R2   --- > iptables  -I  FORWARD -j REJECT .
>>
>>
>> Question : to which target is chosen ( DROP or REJECT or ACCEPT ) . {
>> order of hook function ?? }
>>
>> Thanks,
>> RAtheesh
>
>
>
> There is a mistake in the question . Hook is NF_IP_FORWARD  .
>
> Thanks,
> Ratheesh
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux