Calling Hook Functions

Functions of the network layer are interrupted by hooks at which netfilter code is executed. An important feature of hooks is that they split a function into two parts — the first part runs before the netfilter code is called, the second after. Why are two separate functions used instead of calling a specific netfilter function that executes all relevant netfilter modules and then returns to the calling function? This approach, which at first may appear to be somewhat complicated, can be explained as follows. It enables users (or administrators) to decide not to compile the netfilter functionality into the kernel, in which case, the network functions can be executed without any loss of speed. It also dispenses with the need to riddle the network implementation with pre-processor statements that, depending on the particular configuration option (netfilter enabled or disabled), select the appropriate code sections at compilation time.

Netfilter hooks are called by the nf_hook macro from <netfilter.h>. The macro is defined as follows if netfilter support is enabled in the kernel:

Continue reading here: Info

Was this article helpful?

0 0