⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 klips2-design-api.txt

📁 FREESWAN VPN源代码包
💻 TXT
📖 第 1 页 / 共 3 页
字号:
🔍
123 
		ip6tables(8) >-> seclev match ip6tables(8) library	Label:	Name:		(*seclev_parse) - parse, convert and check security level options	Synopsis:		see: iptables(8) >-> generic match iptables(8) library	Arguments:		see: iptables(8) >-> generic match iptables(8) library	Description:		This function parses, converts and checks iptables(8)		and ip6tables(8) command line security level text		arguments for use by the seclev match NetFilter kernel		module.		Input is expected to be in the form of "--seclev		seclevstr" where seclevstr is the security (or		sensitivity) level (or label) associated with the		packet.	Implementation notes:		I don't actually what form security level data takes,		but that can be sorted out later.		Use the data structure ipt_seclev_info.	Return value:		see: iptables(8) >-> generic match iptables(8) library	Example:		see: iptables(8) >-> generic match iptables(8) library	See also:		iptables(8) >-> generic match iptables(8) library** iptables(8) >-> salist match iptables(8) library** ip6tables(8) >-> salist match ip6tables(8) library	Interface:		iptables(8) >-> salist match iptables(8) library		ip6tables(8) >-> salist match ip6tables(8) library	Label:	Name:		(*salist_parse) - parse, convert and check security		association list options	Synopsis:		see: iptables(8) >-> generic match iptables(8) library	Arguments:		see: iptables(8) >-> generic match iptables(8) library	Description:		This function parses, converts and checks iptables(8)		and ip6tables(8) command line security association		list level text arguments for use by the salist match		NetFilter kernel module.		Input is expected to be in the form of "--salist		SAList" where SAList is the security association list		associated with the packet.	Implementation notes:		Use the data structure ipt_salist_info.	Return value:		see: iptables(8) >-> generic match iptables(8) library	Example:		see: iptables(8) >-> generic match iptables(8) library	See also:		iptables(8) >-> generic match iptables(8) library		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html** iptables(8) >-> TRAP target iptables(8) library** ip6tables(8) >-> TRAP target ip6tables(8) library		Interface:		iptables(8) >-> TRAP target iptables(8) library		ip6tables(8) >-> TRAP target ip6tables(8) library	Label:	Name:		(*trap_parse) - parse, convert and check TRAP options	Synopsis:		see: iptables(8) >-> GENERIC target iptables(8) library	Arguments:		see: iptables(8) >-> GENERIC target iptables(8) library	Description:		This function parses, converts and checks iptables(8)		and ip6tables(8) command line TRAP text		arguments for use by the TRAP target NetFilter kernel		module.		No input is expected.	Implementation notes:	Return value:		see: iptables(8) >-> GENERIC target iptables(8) library	Example:		see: iptables(8) >-> GENERIC target iptables(8) library	See also:		iptables(8) >-> GENERIC target iptables(8) library		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html** iptables(8) >-> HOLD target iptables(8) library** ip6tables(8) >-> HOLD target ip6tables(8) library		Interface:		iptables(8) >-> HOLD target iptables(8) library		ip6tables(8) >-> HOLD target ip6tables(8) library	Label:	Name:	Synopsis:		see: iptables(8) >-> GENERIC target iptables(8) library	Arguments:		see: iptables(8) >-> GENERIC target iptables(8) library	Description:		This function parses, converts and checks iptables(8)		and ip6tables(8) command line HOLD text		arguments for use by the HOLD target NetFilter kernel		module.		No input is expected.	Implementation notes:	Return value:		see: iptables(8) >-> GENERIC target iptables(8) library	Example:		see: iptables(8) >-> GENERIC target iptables(8) library	See also:		iptables(8) >-> GENERIC target iptables(8) library		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html** iptables(8) >-> PEEK target iptables(8) library** ip6tables(8) >-> PEEK target ip6tables(8) library		Interface:		iptables(8) >-> PEEK target iptables(8) library		ip6tables(8) >-> PEEK target ip6tables(8) library	Label:	Name:	Synopsis:		see: iptables(8) >-> GENERIC target iptables(8) library	Arguments:		see: iptables(8) >-> GENERIC target iptables(8) library	Description:		This function parses, converts and checks iptables(8)		and ip6tables(8) command line PEEK text		arguments for use by the PEEK target NetFilter kernel		module.		No input is expected.	Implementation notes:	Return value:		see: iptables(8) >-> GENERIC target iptables(8) library	Example:		see: iptables(8) >-> GENERIC target iptables(8) library	See also:		iptables(8) >-> GENERIC target iptables(8) library		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html** iptables(8) >-> IPSEC target iptables(8) library** ip6tables(8) >-> IPSEC target ip6tables(8) library		Interface:		iptables(8) >-> IPSEC target iptables(8) library		ip6tables(8) >-> IPSEC target ip6tables(8) library	Label:	Name:	Synopsis:		see: iptables(8) >-> GENERIC target iptables(8) library	Arguments:		see: iptables(8) >-> GENERIC target iptables(8) library	Description:		This function parses, converts and checks iptables(8)		and ip6tables(8) command line IPSEC text arguments for		use by the IPSEC target NetFilter kernel module.		Input is expected to be in the form of "--salist		SAList" where SAList is the security association list		to be applied to packets sent to the IPSEC target.	Implementation notes:		Use the data structure ipt_ipsec_target_info.	Return value:		see: iptables(8) >-> GENERIC target iptables(8) library	Example:		see: iptables(8) >-> GENERIC target iptables(8) library	See also:		iptables(8) >-> GENERIC target iptables(8) library		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html** iptables(8) >-> NetFilter** ip6tables(8) >-> NetFilter	Interface:		iptables(8) >-> NetFilter		ip6tables(8) >-> NetFilter	Label:	Name:	Synopsis:	Arguments:		match->data = struct ipt_seclev_info		match->data = struct ipt_salist_info		target->data = struct ipt_ipsec_target_info	Description:		This I/F is already defined in NetFilter using		get/set_sockopt().  We don't call it directly.  In		addition, it will need structures to pass the		arguments above.  This interface provides a mechanism		for iptables to update the kernel netfilter tables.	Implementation notes:	Return value:	Example:	See also:		iptables-1.2.2/libiptc/** NetFilter >-> seclev match NetFilter kernel module	Interface:		NetFilter >-> seclev match NetFilter kernel module	Label:	Name:		(*seclev_match) - does the packet match Security		Level?	Synopsis:		see: NetFilter >-> generic match NetFilter kernel module	Arguments:		see: NetFilter >-> generic match NetFilter kernel module	Description:		This function checks if the skb supplied matches		the security level specified in matchinfo.	Implementation notes:		Use the data structure ipt_seclev_info.	Return value:		see: NetFilter >-> generic match NetFilter kernel module	Example:		see: NetFilter >-> generic match NetFilter kernel module	See also:		NetFilter >-> seclev match NetFilter kernel module		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html** NetFilter >-> salist match NetFilter kernel module	Interface:		NetFilter >-> salist match NetFilter kernel module	Label:	Name:		(*salist_match) - does the packet match the Security		Association List?	Synopsis:		see: NetFilter >-> generic match NetFilter kernel module	Arguments:		see: NetFilter >-> generic match NetFilter kernel module	Description:		This function checks if the skb supplied matches		the Security Association list specified in matchinfo.	Implementation notes:		Use the data structure ipt_salist_info.	Return value:		see: NetFilter >-> generic match NetFilter kernel module	Example:		see: NetFilter >-> generic match NetFilter kernel module	See also:		NetFilter >-> generic match NetFilter kernel module		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html** NetFilter >-> TRAP target NetFilter kernel module	Interface:		NetFilter >-> TRAP target NetFilter kernel module	Label:		TRAP	Name:		(*trap_target) - TRAP outgoing packets to initiate		opportunism	Synopsis:		see: NetFilter >-> GENERIC target NetFilter kernel module	Arguments:		see: NetFilter >-> GENERIC target NetFilter kernel module	Description:		This is a NetFilter target.  It TRAPs packets to notify the		key management daemons to acquire a new set of		Security Associations and to set up a HOLD to save it		until the acquire has succeeded.	Implementation notes:	Return value:		It returns NF_STOLEN.	Example:		see: NetFilter >-> GENERIC target NetFilter kernel module	See also:		NetFilter >-> GENERIC target NetFilter kernel module		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html** TRAP target NetFilter kernel module >-> KMds "PF_KEYv2 ACQUIRE"	Interface:		TRAP target NetFilter kernel module >-> KMds "PF_KEYv2 ACQUIRE"	Label:		see RFC2367, PF_KEYv2 ACQUIRE	Name:		see RFC2367, PF_KEYv2 ACQUIRE	Synopsis:		see RFC2367, PF_KEYv2 ACQUIRE	Arguments:		see RFC2367, PF_KEYv2 ACQUIRE	Description:		This interface is used to make requests from the		kernel to key management daemons for a set of Security		Associations to cover the specified traffic named to a		remote host.	Implementation notes:	Return value:		see RFC2367, PF_KEYv2 ACQUIRE	Example:	See also:** TRAP target NetFilter kernel module >-> NetFilter	Interface:		TRAP target NetFilter kernel module >-> NetFilter	Label:	Name:	Synopsis:	Arguments:		struct sk_buff *skb	Description:		This interface is used by the NetFilter TRAP target		kernel module to set up a HOLD to save outgoing		packets until the acquire has succeeded, limiting the		demand on the PF_KEYv2 ACQUIRE interface.	Implementation notes:		At present, this looks really ugly.  The table can		only be modified from userspace by reading the entire		table and then replacing the entire table atomically.		It will have to use the get/set_sockopt() interface		similar to what userspace uses, except from		kernelspace, duplicating some of the libiptc code,		taking a copy of the entire table and atomically		replacing all of the copies on all the CPUs.		There is talk about iptables being rewritten so that		the table is updated more gracefully.		There have been suggestions of using ippool, but this		appears to take a huge amount of memory for what we		need to be able to do.		Queue to userspace has also been suggested, but we		don't want to send the packet to userspace.  We are		trying to avoid that by doing a HOLD.		After the HOLD is in place, the packet would be		re-injected.	Return value:	Example:	See also:** NetFilter >-> HOLD target NetFilter kernel module	Interface:		NetFilter >-> HOLD target NetFilter kernel module	Label:	Name:		(*hold_target) - HOLD packets to prevent key		management daemon flooding	Synopsis:		see: NetFilter >-> GENERIC target NetFilter kernel module	Arguments:		see: NetFilter >-> GENERIC target NetFilter kernel module	Description:		This is a NetFilter target.  It discards the 		previous held packet and holds onto the		last packet packet pending replacement by an SPDB		change that deletes this HOLD and releases the packet.	Implementation notes:		There sound like there will be problems with this		because of the atomic complete replacement of the		table at which point any data stored with the target		will be lost.	Return value:		It returns NF_STOLEN.	Example:		see: NetFilter >-> GENERIC target NetFilter kernel module	See also:		NetFilter >-> GENERIC target NetFilter kernel module		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html** KMd >-> SADB "PF_KEYv2 ADD/UPDATE"	Interface:		KMd >-> SADB "PF_KEYv2 ADD/UPDATE"	Label:		see RFC2367, PF_KEYv2 ADD/UPDATE	Name:		see RFC2367, PF_KEYv2 ADD/UPDATE	Synopsis:		see RFC2367, PF_KEYv2 ADD/UPDATE	Arguments:		see RFC2367, PF_KEYv2 ADD/UPDATE	Description:		This interface is used by key management daemons to		set incoming or outgoing Security Associations in the		kernel to/from a remote host.	Implementation notes:	Return value:		see RFC2367, PF_KEYv2 ADD/UPDATE	Example:	See also:** HOLD target NetFilter kernel module >-> NetFilter	Interface:		HOLD target NetFilter kernel module >-> NetFilter	Label:	Name:		ip_finish_output - re-submit the packet to the output		queue, now that the HOLD has been cleared.		NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, rt->u.dst.dev, ip_finish_output2);	Synopsis:		int		ip_finish_output(			struct sk_buff *skb		)	Arguments:		skb			packet to be re-submitted	Description:		This interface provides a method for previously held		packets to be released and re-submitted once the		HOLD SPDB entry has been replaced or deleted, usually		pointing to newly created Security Associations that		were aquired to cover that packet stream.		The packet is re-submitted just before		NF_IP_POST_ROUTING.	Implementation notes:		I don't know the best way to show this on the diagram,		since the skb is stored with the eroute and not the		HOLD target module.  The best way to implement this		might be when the table gets replaced, release all		held packets and let them be re-caught by the table.		int ip_finish_output(struct sk_buff *skb) is a good		possibility since all it does is call		NF_IP_POST_ROUTING hook and that is where the packet		would have been HOLD'ed.	Return value:		0 if everything worked out, -ENOMEM if the kernel ran
123

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -