From 97d7eeb86ba27f0a24866af6531405cba151ee34 Mon Sep 17 00:00:00 2001 From: jjm2473 <1129525450@qq.com> Date: Mon, 18 Mar 2024 14:17:51 +0800 Subject: [PATCH] kmod-oaf: fix nf hook before 4.16.0 --- oaf/src/af_client.c | 27 ++++++++++++++++++----- oaf/src/app_filter.c | 52 ++++++++++++++++++++++++++++++++++++++------ 2 files changed, 66 insertions(+), 13 deletions(-) diff --git a/oaf/src/af_client.c b/oaf/src/af_client.c index 8f80cd9..11cdea3 100755 --- a/oaf/src/af_client.c +++ b/oaf/src/af_client.c @@ -392,7 +392,7 @@ static u_int32_t af_client_hook(unsigned int hook, return NF_ACCEPT; } -#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0) static struct nf_hook_ops af_client_ops[] = { { .hook = af_client_hook, @@ -405,8 +405,19 @@ static struct nf_hook_ops af_client_ops[] = { static struct nf_hook_ops af_client_ops[] = { { .hook = af_client_hook, +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 4, 0) .owner = THIS_MODULE, - .pf = NFPROTO_INET, +#endif + .pf = NFPROTO_IPV4, + .hooknum = NF_INET_FORWARD, + .priority = NF_IP_PRI_FIRST + 1, + }, + { + .hook = af_client_hook, +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 4, 0) + .owner = THIS_MODULE, +#endif + .pf = NFPROTO_IPV6, .hooknum = NF_INET_FORWARD, .priority = NF_IP_PRI_FIRST + 1, }, @@ -415,12 +426,16 @@ static struct nf_hook_ops af_client_ops[] = { int af_client_init(void) { + int err; nf_client_list_init(); -#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0) - nf_register_net_hooks(&init_net, af_client_ops, ARRAY_SIZE(af_client_ops)); +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0) + err = nf_register_net_hooks(&init_net, af_client_ops, ARRAY_SIZE(af_client_ops)); #else - nf_register_hooks(af_client_ops, ARRAY_SIZE(af_client_ops)); + err = nf_register_hooks(af_client_ops, ARRAY_SIZE(af_client_ops)); #endif + if (err) { + AF_ERROR("oaf register client hooks failed!\n"); + } AF_INFO("init app afclient ........ok\n"); return 0; @@ -428,7 +443,7 @@ int af_client_init(void) void af_client_exit(void) { -#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0) nf_unregister_net_hooks(&init_net, af_client_ops, ARRAY_SIZE(af_client_ops)); #else nf_unregister_hooks(af_client_ops, ARRAY_SIZE(af_client_ops)); diff --git a/oaf/src/app_filter.c b/oaf/src/app_filter.c index 7d25906..e00b441 100755 --- a/oaf/src/app_filter.c +++ b/oaf/src/app_filter.c @@ -1176,8 +1176,7 @@ static u_int32_t app_filter_by_pass_hook(unsigned int hook, return app_filter_hook_bypass_handle(skb, skb->dev); } - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0) static struct nf_hook_ops app_filter_ops[] __read_mostly = { { .hook = app_filter_hook, @@ -1193,12 +1192,47 @@ static struct nf_hook_ops app_filter_ops[] __read_mostly = { .priority = NF_IP_PRI_MANGLE + 1, }, }; +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0) +static struct nf_hook_ops app_filter_ops[] __read_mostly = { + { + .hook = app_filter_hook, + .pf = NFPROTO_IPV4, + .hooknum = NF_INET_FORWARD, + .priority = NF_IP_PRI_MANGLE + 1, + }, + { + .hook = app_filter_by_pass_hook, + .pf = NFPROTO_IPV4, + .hooknum = NF_INET_PRE_ROUTING, + .priority = NF_IP_PRI_MANGLE + 1, + }, + { + .hook = app_filter_hook, + .pf = NFPROTO_IPV6, + .hooknum = NF_INET_FORWARD, + .priority = NF_IP_PRI_MANGLE + 1, + + }, + { + .hook = app_filter_by_pass_hook, + .pf = NFPROTO_IPV6, + .hooknum = NF_INET_PRE_ROUTING, + .priority = NF_IP_PRI_MANGLE + 1, + }, +}; #else static struct nf_hook_ops app_filter_ops[] __read_mostly = { { .hook = app_filter_hook, .owner = THIS_MODULE, - .pf = NFPROTO_INET, + .pf = NFPROTO_IPV4, + .hooknum = NF_INET_FORWARD, + .priority = NF_IP_PRI_MANGLE + 1, + }, + { + .hook = app_filter_hook, + .owner = THIS_MODULE, + .pf = NFPROTO_IPV6, .hooknum = NF_INET_FORWARD, .priority = NF_IP_PRI_MANGLE + 1, }, @@ -1343,6 +1377,7 @@ int netlink_oaf_init(void) static int __init app_filter_init(void) { + int err; if (0 != load_feature_config()) { return -1; @@ -1355,11 +1390,14 @@ static int __init app_filter_init(void) af_init_app_status(); init_af_client_procfs(); af_client_init(); -#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0) - nf_register_net_hooks(&init_net, app_filter_ops, ARRAY_SIZE(app_filter_ops)); +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0) + err = nf_register_net_hooks(&init_net, app_filter_ops, ARRAY_SIZE(app_filter_ops)); #else - nf_register_hooks(app_filter_ops, ARRAY_SIZE(app_filter_ops)); + err = nf_register_hooks(app_filter_ops, ARRAY_SIZE(app_filter_ops)); #endif + if (err) { + AF_ERROR("oaf register filter hooks failed!\n"); + } init_oaf_timer(); AF_INFO("init app filter ........ok\n"); return 0; @@ -1369,7 +1407,7 @@ static void app_filter_fini(void) { AF_INFO("app filter module exit\n"); fini_oaf_timer(); -#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0) nf_unregister_net_hooks(&init_net, app_filter_ops, ARRAY_SIZE(app_filter_ops)); #else nf_unregister_hooks(app_filter_ops, ARRAY_SIZE(app_filter_ops));