outfilter.c

来自「一个linux下的防火墙过滤函数框架源代码」· C语言 代码 · 共 90 行

#define __KERNEL__
#define MODULE
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/ipv6.h>
#include <linux/icmpv6.h>
#include <linux/netfilter_ipv6.h>
#include <linux/if_ether.h>
static struct nf_hook_ops nfho;
static struct in6_addr vip;



unsigned int filter(unsigned int hooknum, struct sk_buff **skb,
		const struct net_device *in, const struct net_device *out,
		int (*okfn)(struct sk_buff *))

{  
struct sk_buff *sk=*skb;
struct ipv6hdr  *hv6;
struct icmp6hdr  *mp6;
int i;
//vip

vip.s6_addr16[0]=htons(0x3ffe);
vip.s6_addr16[1]=htons(0);
vip.s6_addr16[2]=htons(0);
vip.s6_addr16[3]=htons(0);
vip.s6_addr16[4]=htons(0);
vip.s6_addr16[5]=htons(0);
vip.s6_addr16[6]=htons(0);
vip.s6_addr16[7]=htons(9);

hv6=(struct ipv6hdr *)(sk->data);

if(hv6->nexthdr==0x3a)
{ 
unsigned char *s;
mp6=(struct icmp6hdr *)(sk->data+40);
s=(unsigned char *)(sk->data+48);
if(mp6->icmp6_type==136)
{
printk("neighbour advertisement\n");

	//if(mp6->icmp6_type==135)
	//printk("neighbour solicitation\n");
if(memcmp(s,&vip,sizeof(struct in6_addr)))
{	int i;
	printk("not the vs address thus i accept it		");
	for(i=0;i<8;i++)
		printk(":%04x",ntohs(vip.s6_addr16[i]));
	printk("\n");
	return NF_ACCEPT;
}else
{
	printk("equal to vs address thus i drop it \n");
	return NF_DROP;
}
;
};
//neighbor solicitation
}
	printk("other protocol thus i accept it \n");
	return NF_ACCEPT;
}

int init_module(void)
{	
	
		nfho.list.next=NULL;
		nfho.list.prev=NULL;
		nfho.hook = filter;
		nfho.hooknum = NF_IP6_POST_ROUTING;
		nfho.pf = PF_INET6;
		nf_register_hook(&nfho);
	printk("output vs address filter initialized OK\n");
	
	return 0;
}

void cleanup_module(void)
{

	nf_unregister_hook(&nfho); 
	printk("GoodBye\n");
	
}

MODULE_LICENSE("GPL");