Target extension with nf_hooks

[Aft nix <aftnix@gmail.com>]

Hi,

Is there any technical difficulties associated with the following scenario:

1) its invoked with $iptables -t mangle -A PREROUTING -j MY_TARGET

2) My target module is initialized as :

static struct xt_target obsf_tg_reg __read_mostly = {

        .name = "OBSF",
        .family = NFPROTO_UNSPEC,
        .target = obsf_tg,
        .checkentry = obsf_tg_check,
        .targetsize = sizeof(struct xt_OBSF_tginfo),
        .me = THIS_MODULE,
};

static int __init obsf_tg_init(void)
{
    return xt_register_target(&obsf_tg_reg);
}

2) Now inside the module, it also registers a nf_hook:


static struct nf_hook_ops inward_obsf_ops __read_mostly = {
    .pf = NFPROTO_IPV4,
    .priority = 1,
    .hooknum = NF_INET_PRE_ROUTING,
    .hook = ibss_obsf_inward_begin,
};

/*
 * Module init and exit functions
 * No need ot worry about them
 */

static int __init ibss_obsf_inward_init(void)
{
    printk(KERN_ALERT "\nPacket_Inward module started ...");
    return nf_register_hook(&inward_obsf_ops);
}

My question is

a) Between ibss_obsf_inward_begin() and obsf_tg() who will be called first?

b) Does this design lead to any inconsistencies?

c) Should i register ibss_ofsf_inward_begin() with different hook ,
say NF_INET_LOCAL_INPUT?

Only example i could find inside 3.7.rc3 kernel tree is :

net/ipv4/ipt_CLUSTERIP.c:540

540 static struct nf_hook_ops cip_arp_ops __read_mostly = {
541         .hook = arp_mangle,
542         .pf = NFPROTO_ARP,
543         .hooknum = NF_ARP_OUT,
544         .priority = -1
545 };

I'm not sure i can do the same for ordinary netfilter module.


--
-aft