netfilter hooks

They can be used to run shell when received some magic packet: 1 2 3. As usually there is not tool to show installed netfilter hooks so I added dumping them (and at the same time netfilter loggers) to my lkcd

 

Lets check where this hooks live inside kernel. As starting point we can review source of main function for hooks installing nf_register_net_hooks which leads to nf_hook_entry_head. We can notice that there are lots of locations for hooks:

1. field nf_hooks_ingress in net_dev (when CONFIG_NETFILTER_INGRESS enabled)
2. on more new kernels also field nf_hooks_egress in net_dev (when CONFIG_NETFILTER_EGRESS enabled)
3. lots of fields in struct netns_nf:
   
   • hooks_ipv4
   • hooks_ipv6
   • hooks_arp (CONFIG_NETFILTER_FAMILY_ARP)
   • hooks_bridge (CONFIG_NETFILTER_FAMILY_BRIDGE)
   • hooks_decnet (CONFIG_NETFILTER_FAMILY_DECNET)
   Also on old kernels (before 4.16) there was one array hooks in netns_nf
   

 

results

lkmem -c -n ../unpacked/101 /boot/System.map-5.15.0-101-generic

...


2 nf hooks:
   [0] type 02 IPV4 idx 0 0xffffffffa7b84dd0 - kernel!apparmor_ipv4_postroute
   [1] type 10 IPV6 idx 0 0xffffffffa7b84e10 - kernel!apparmor_ipv6_postroute