初次使用netfilter，写了一个禁止ping命令的小程序

banping.c

#include"linux/module.h"
#include"linux/netfilter_ipv4.h"
#include"linux/kernel.h"
#include"linux/skbuff.h"
#include"linux/ip.h"
#include"linux/if_ether.h"
#include"linux/if_packet.h"

/*copyright statement*/
MODULE_LICENSE("Dual BSD/GPL");

static unsigned int nf_hook_out(unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff*))
{
struct sk_buff *sk = skb;
struct iphdr *iph=ip_hdr(sk);
if(iph->protocol==IPPROTO_ICMP)
{
return NF_DROP;
}else
{
return NF_ACCEPT;
}
}

static struct nf_hook_ops nfout=
{
.list = {NULL,NULL},
.hook = nf_hook_out,
.hooknum = NF_INET_LOCAL_OUT,
.pf = PF_INET,
.priority = NF_IP_PRI_FIRST
};

/*initialization module*/
static int __init banping_init(void)
{
nf_register_hook(&nfout);
printk(KERN_ALERT"Banping module init\n");
return 0;
}
/*clear module*/
static void __exit banping_exit(void)
{
nf_unregister_hook(&nfout);
printk(KERN_ALERT"Banping module exit\n");
}
module_init(banping_init);
module_exit(banping_exit);

MODULE_AUTHOR("FEI FENG");
MODULE_DESCRIPTION("Ban ping");
MODULE_VERSION("0.0.1");

makefile

target = banping
obj-m := $(target).o
KERNELDIR = /lib/modules/$(shell uname -r)/build
default:
$(MAKE) -C $(KERNELDIR) M=$(shell pwd)
install:
insmod $(target).ko
uninstall:
rmmod $(target).ko
clean:
rm -rf *.o *.mod.c *.ko
rm -rf Module.symvers .*cmd .tmp_versions