Netfilter Madness

API changes

1. nf_register_hook() till 4.12, from 4.13.0 we have nf_register_net_hook()
2. nf_hookfn signature changed (with addition of struct nf_hook_state) in version 4.1.0. Before :

static inline void nf_hook_state_init(struct nf_hook_state *p,
				      unsigned int hook,
				      int thresh, u_int8_t pf,
				      struct net_device *indev,
				      struct net_device *outdev,
				      struct sock *sk,
				      int (*okfn)(struct sock *, struct sk_buff *))

Then :

typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops,
			       struct sk_buff *skb,
			       const struct nf_hook_state *state);

Then it was further changed in version 4.4 to have a void *private (current form as of 6.10) :

typedef unsigned int nf_hookfn(void *priv,
			       struct sk_buff *skb,
			       const struct nf_hook_state *state);

3. hook_ops_type field in struct nf_hook_ops was added in version : 5.14.0
4. For xt_action_param in x_tables match and target. kernel versions >= 4.10.0, we have parameter helpers like xt_hooknum(par), before that we use par->hooknum

Random Notes

• On netfilter-based NAT systems there is theoretically a possibility to retrieve the original address after NAT’ing a connection.
  • This can be done using the socket option SO_ORIGINAL_DST.
  • This is implemented in conntrack using nf_register_sockopt() which is used to create custom socket options (limited to some tables, like ipt and ip6t).

xt_action_param usage across extensions