struct nf_hook_ops {
     struct list_head list;//用于嵌入到nf_hooks

     /* User fills in from here down. */
     nf_hookfn *hook;//钩子函数
     struct module *owner;//拥有者
     u_int8_t pf;//三层协议
     unsigned int hooknum;//哪个钩子点
     /* Hooks are ordered in ascending priority. */
     int priority;//优先级
     atomic_t counter;//被引用次数
    };

int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
   struct net_device *indev,
   struct net_device *outdev,
   int (*okfn)(struct sk_buff *),
   int hook_thresh)
{
 struct list_head *elem;
 unsigned int verdict;
 int ret = 0;

#ifdef CONFIG_NET_NS
 struct net *net;

 net = indev == NULL ? dev_net(outdev) : dev_net(indev);
 if (net != &init_net)
  return 1;
#endif

 /* We may already have this, but read-locks nest anyway */
 rcu_read_lock();

 elem = &nf_hooks[pf][hook];
next_hook:
 verdict = nf_iterate(&nf_hooks[pf][hook], skb, hook, indev,
        outdev, &elem, okfn, hook_thresh);
 if (verdict == NF_ACCEPT || verdict == NF_STOP) {
  ret = 1;
  goto unlock;
 } else if (verdict == NF_DROP) {
  kfree_skb(skb);
  ret = -EPERM;
 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
  if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
         verdict >> NF_VERDICT_BITS))
   goto next_hook;
 }
unlock:
 rcu_read_unlock();
 return ret;
}

  可以看出nf_iterate是其核心，这里将对nf_iterate返回值(也就是相应的钩子函数的返回值)NF_ACCEPT、NF_STOP、NF_DROP、NF_QUEUE进行处理。

unsigned int nf_iterate(struct list_head *head,
   struct sk_buff *skb,
   int hook,
   const struct net_device *indev,
   const struct net_device *outdev,
   struct list_head **i,
   int (*okfn)(struct sk_buff *),
   int hook_thresh)
{
 unsigned int verdict;

 /*
  * The caller must not block between calls to this
  * function because of risk of continuing from deleted element.
  */
 list_for_each_continue_rcu(*i, head) {
  struct nf_hook_ops *elem = (struct nf_hook_ops *)*i;

  if (hook_thresh > elem->priority)
   continue;

  /* Optimization: we don't need to hold module
     reference here, since function can't sleep. --RR */
  verdict = elem->hook(hook, skb, indev, outdev, okfn);
  if (verdict != NF_ACCEPT) {
#ifdef CONFIG_NETFILTER_DEBUG
   if (unlikely((verdict & NF_VERDICT_MASK)
       > NF_MAX_VERDICT)) {
    NFDEBUG("Evil return from %p(%u).\n",
     elem->hook, hook);
    continue;
   }
#endif
   if (verdict != NF_REPEAT)
    return verdict;
   *i = (*i)->prev;
  }
 }
 return NF_ACCEPT;
}
#define list_for_each_continue_rcu(pos, head) \
 for ((pos) = rcu_dereference((pos)->next); \
  prefetch((pos)->next), (pos) != (head); \
  (pos) = rcu_dereference((pos)->next))

nf_iterate的核心是list_for_each_continue_rcu，这是一个for循环；将满足条件的：协议 + hook_thresh优先级以上 + hook点 的钩子函数执行；处理特殊的钩子函数返回值NF_REPEAT。



对skb的主要处理在nf_hook_slow函数中：