2.6 overview of Netfilter hook points in the kernel

Copyleft of this document belongs to yfydz and can be freely copied and reproduced when published using GPL. It is strictly prohibited to be used for any commercial purposes.
MSN: yfydz_no1@hotmail.com
Source: http://yfydz.cublog.cn

1. 5 mount points
The following kernel code version is 2.6.17.11.
1.1 preroting
/* Net/IPv4/ip_input.c */
Int ip_rcv (struct sk_buff * SKB, struct net_device * Dev, struct packet_type * PT, struct net_device * orig_dev)
{
......
Return nf_hook (pf_inet, NF_IP_PRE_ROUTING, SKB, Dev, null,
Ip_rcv_finish );
......
}

1.2 Input
/* Net/IPv4/ip_input.c */
Int ip_local_deliver (struct sk_buff * SKB)
{
......
Return nf_hook (pf_inet, nf_ip_local_in, SKB, SKB-> Dev, null,
Ip_local_deliver_finish );
}

1.3 forward
/* Net/IPv4/ip_forward.c */
Int ip_forward (struct sk_buff * SKB)
{
......
Return nf_hook (pf_inet, nf_ip_forward, SKB, SKB-> Dev, RT-> U. dst. Dev,
Ip_forward_finish );
......
}

1.4 output
/* Net/IPv4/ip_output.c */
Int ip_build_and_send_pkt (struct sk_buff * SKB, struct sock * sk,
U32 saddr, u32 daddr, struct ip_options * OPT)
{
......
Return nf_hook (pf_inet, nf_ip_local_out, SKB, null, RT-> U. dst. Dev,
Dst_output );
}
Int ip_queue_xmit (struct sk_buff * SKB, int ipfragok)
{
......
Return nf_hook (pf_inet, nf_ip_local_out, SKB, null, RT-> U. dst. Dev,
Dst_output );
......
}
Int ip_push_pending_frames (struct sock * SK)
{
......
/* Netfilter gets whole the not fragmented SKB .*/
Err = nf_hook (pf_inet, nf_ip_local_out, SKB, null,
SKB-> DST-> Dev, dst_output );
......
}
1.5 postrouting

/* Net/IPv4/ip_output.c */
Int ip_output (struct sk_buff * SKB)
{
Struct net_device * Dev = SKB-> DST-> dev;
Ip_inc_stats (ipstats_mib_outrequests );
SKB-> Dev = dev;
SKB-> protocol = htons (eth_p_ip );
Return nf_hook_cond (pf_inet, nf_ip_post_routing, SKB, null, Dev,
Ip_finish_output,
! (IPCB (SKB)-> flags & ipskb_rerouted ));
}

2. Hook operations attached to each mount point

Only the mount point of the af_inet protocol family is considered. The hook operations of the following points are sorted by execution order. The smaller the priority value, the higher the level, and the higher the execution order.
If you can use iptables rules to control the processing point, it is called user controllable, otherwise it is uncontrollable.

2.1 prereouting

/* Net/bridge/br_netfilter.c */
// This hook point only discards the packages with the bridge parameters set in the SKB structure but no related bridge signs.
// Uncontrollable
{. Hook = ip_sabotage_in,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = NF_IP_PRE_ROUTING,
// Highest priority
. Priority = nf_ip_pri_first,
},

/* Net/IPv4/Netfilter/ip_conntrack_standalone.c */
// This Hook Point completes sharding and all the packages in the future processing process are non-split packages.
// Wait until the message is sent and resharded. Note that the fragmented package after the reorganization of 2.6 is not linear.
//, So the two bytes of data that should be logically connected may belong to different pages,
// The storage is discontinuous.
// The user cannot control the operation.
{
. Hook = ip_conntrack_defrag,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = NF_IP_PRE_ROUTING,
// The priority is-400.
. Priority = nf_ip_pri_conntrack_defrag,
},

/* Net/IPv4/Netfilter/iptable_raw.c */
// This hook point is a raw table that provides a means to process received packets before connection tracking.
// You can load iptables rules to control
{
. Hook = ipt_hook,
. PF = pf_inet,
. Hooknum = NF_IP_PRE_ROUTING,
// The priority is-300.
. Priority = nf_ip_pri_raw,
. Owner = this_module,
},

/* Net/IPv4/Netfilter/ip_conntrack_standalone.c */
// This Hook Point completes Connection Tracking and finds the connection (established, reply) for each SKB)
// Or create a new connection (new, related)
// The user cannot control the operation.
{
. Hook = ip_conntrack_in,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = NF_IP_PRE_ROUTING,
// The priority is-200.
. Priority = nf_ip_pri_conntrack,
},

/* Net/IPv4/Netfilter/iptable_mangle.c */
// The hook point is the mangle table, which allows you to modify received packets.
// You can load iptables rules to control
{
. Hook = ipt_route_hook,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = NF_IP_PRE_ROUTING,
// The priority is-150.
. Priority = nf_ip_pri_mangle,
},
 
/* Net/IPv4/Netfilter/ip_nat_standalone.c */
// This hook point performs the target Nat operation on the received SKB package of the local machine.
// User rules are controllable and Nat tables, but the rules only process the new package, and the subsequent packages are automatically processed.
{
. Hook = ip_nat_in,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = NF_IP_PRE_ROUTING,
// The priority is-100.
. Priority = nf_ip_pri_nat_dst,
},

/* Net/sched/sch_ingress.c */
// This Hook Point queues the SKB packets that J enters the Local Machine for processing and QoS operations
// Uncontrollable
Static struct nf_hook_ops ing_ops = {
. Hook = ing_hook,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = NF_IP_PRE_ROUTING,
// The priority is 1.
. Priority = nf_ip_pri_filter + 1,
};
 
2.2 Input

/* Net/IPv4/Netfilter/iptable_mangle.c */
// The hook point is the mangle table, which allows you to modify received packets.
// You can load iptables rules to control
{
. Hook = ipt_route_hook,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_in,
// The priority is-150.
. Priority = nf_ip_pri_mangle,
},

/* Net/IPv4/Netfilter/iptable_filter.c */
// This hook point is a filter table that provides Filtering for data packets entering the local machine.
// You can load iptables rules to control
{
. Hook = ipt_hook,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_in,
// The priority is 0.
. Priority = nf_ip_pri_filter,
},

/* Net/IPv4/Netfilter/ip_nat_standalone.c */
// Perform source Nat operations on the SKB package that enters the Local Machine
// User rules are controllable and Nat tables, but the rules only process the new package, and the subsequent packages are automatically processed.
{
. Hook = ip_nat_fn,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_in,
// The priority is 100.
. Priority = nf_ip_pri_nat_src,
},

/* Net/IPv4/ipvs/ip_vs_core.c */
// Balance the distribution of the SKB packets that enter the local machine by the Hook Point
// Uncontrollable
Static struct nf_hook_ops ip_vs_in_ops = {
. Hook = ip_vs_in,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_in,
. Priority= 100,
};

/* Net/IPv4/Netfilter/ip_conntrack_standalone.c */
// The Hook Point enters the SKB package of the Local Machine to complete the help for connection tracking, that is
// Handling of subconnections in multiple connection protocols
// Uncontrollable
{
. Hook = ip_conntrack_help,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_in,
// The priority is INT_MAX-2, rather low
. Priority = nf_ip_pri_conntrack_helper,
},

/* Net/IPv4/Netfilter/ip_nat_standalone.c */
// Adjust the TCP serial number of the SKB package that enters the local machine, mainly because the multi-connection protocol is tracked
// Modifying the data packet content may cause the packet length to change. The corresponding serial number and confirmation number are required.
// Automatic Adjustment
// User rules are uncontrollable
{
. Hook = ip_nat_adjust,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_in,
// The priority is INR_MAX-1, rather low
. Priority = nf_ip_pri_nat_seq_adjust,
},
 
/* Net/IPv4/Netfilter/ip_conntrack_standalone.c */
// The Hook Point enters the SKB package of the Local Machine to complete the final confirmation, and only processes the new package
// Confirm that the new connection information does not exist in the current connection table
// Uncontrollable
{
. Hook = ip_confirm,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_in,
// The priority is int_max, which is the lowest
. Priority = nf_ip_pri_conntrack_confirm,
},

2.3 forward

/* Net/bridge/br_netfilter.c */
// This hook point sets the bridge information and physical Nic information for the SKB packet forwarded by the NIC.
// This function may return nf_stop without processing the subsequent hook points.
// Uncontrollable
{. Hook = ip_sabotage_out,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_forward,
// The priority is-175.
. Priority = nf_ip_pri_bridge_sabotage_forward,
},
/* Net/IPv4/Netfilter/iptable_mangle.c */
// The hook point is the mangle table, which allows you to modify received packets.
// You can load iptables rules to control
{
. Hook = ipt_route_hook,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_forward,
// The priority is-150.
. Priority = nf_ip_pri_mangle,
},

/* Net/IPv4/Netfilter/iptable_filter.c */
// This hook point is a filter table that provides Filtering for forwarded packets.
// You can load iptables rules to control
{
. Hook = ipt_hook,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_forward,
// The priority is 0.
. Priority = nf_ip_pri_filter,
},

/* Net/IPv4/ipvs/ip_vs_core.c */
// An ICMP exception occurred before the hook point is evenly allocated to the forwarded SKB packets.
// Uncontrollable
Static struct nf_hook_ops ip_vs_forward_icmp_ops = {
. Hook = ip_vs_forward_icmp,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_forward,
. Priority = 99,
};
/* Net/IPv4/ipvs/ip_vs_core.c */
// Balance the distribution of the forwarded SKB packets by the Hook Point
// Uncontrollable
Static struct nf_hook_ops ip_vs_out_ops = {
. Hook = ip_vs_out,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_forward,
. Priority= 100,
};
 
3.4 output

/* Net/IPv4/Netfilter/ip_conntrack_standalone.c */
// This Hook Point completes the sharding of the package sent by itself, and the package in the future processing process is not a split package
// Until the last part is sent and re-fragment. Note that the fragmented package after the reorganization of 2.6 is not linear.
//, So the two bytes of data that should be logically connected may belong to different pages,
// The storage is discontinuous.
// The user cannot control the operation.
{
. Hook = ip_conntrack_defrag,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_out,
// The priority is-400.
. Priority = nf_ip_pri_conntrack_defrag,
},

/* Net/IPv4/Netfilter/iptable_raw.c */
// This hook point is a raw table that provides a means to process the packets sent from the local machine before the Connection Tracing.
// You can load iptables rules to control
{
. Hook = ipt_hook,
. PF = pf_inet,
. Hooknum = nf_ip_local_out,
// The priority is-300.
. Priority = nf_ip_pri_raw,
. Owner = this_module,
},

/* Net/IPv4/Netfilter/ip_conntrack_standalone.c */
// This Hook Point completes connection tracking for the packets it sends and finds the connection for each SKB.
// (Established, reply) or create a connection (new, related)
// The user cannot control the operation.
{
. Hook = ip_conntrack_local,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_out,
// The priority is-200.
. Priority = nf_ip_pri_conntrack,
},
/* Net/IPv4/Netfilter/iptable_mangle.c */
// The hook point is the mangle table, which allows you to modify received packets.
// You can load iptables rules to control
{
. Hook = ipt_local_hook,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_out,
// The priority is-150.
. Priority = nf_ip_pri_mangle,
},
 
/* Net/IPv4/Netfilter/ip_nat_standalone.c */
// Perform the destination Nat operation on the SKB package sent from the Local Machine
// User rules are controllable and Nat tables, but the rules only process the new package, and the subsequent packages are automatically processed.
{
. Hook = ip_nat_local_fn,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_out,
// The priority is-100.
. Priority = nf_ip_pri_nat_dst,
},

/* Net/bridge/br_netfilter.c */
// This hook point sets the bridge information and physical Nic information for the SKB packet sent by the bridge Nic.
// This function will return nf_stop and terminate the check in advance.
// Uncontrollable
{. Hook = ip_sabotage_out,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_out,
// The priority is-50.
. Priority = nf_ip_pri_bridge_sabotage_local_out,
},

/* Net/IPv4/Netfilter/iptable_filter.c */
// This hook point is a filter table that provides Filtering for packets sent from the local machine.
// You can load iptables rules to control
{
. Hook = ipt_local_out_hook,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_local_out,
// The priority is 0.
. Priority = nf_ip_pri_filter,
},
 

2.5 postrouting

/* Net/bridge/br_netfilter.c */
// This hook point sets the bridge information and physical Nic information for the SKB packet sent by the bridge Nic.
// This function will return nf_stop and terminate the check in advance.
// Uncontrollable
{. Hook = ip_sabotage_out,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_post_routing,
// Highest priority
. Priority = nf_ip_pri_first ,},

/* Net/IPv4/Netfilter/iptable_mangle.c */
// The hook point is the mangle table, which allows you to modify received packets.
// You can load iptables rules to control
{
. Hook = ipt_route_hook,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_post_routing,
// The priority is-150.
. Priority = nf_ip_pri_mangle,
},

/* Net/IPv4/ipvs/ip_vs_core.c */
// The Hook Point directly returns the nf_stop control package of ipvs and does not process the subsequent hook points.
// Uncontrollable
Static struct nf_hook_ops ip_vs_post_routing_ops = {
. Hook = ip_vs_post_routing,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_post_routing,
// The priority is 99.
. Priority = NF_IP_PRI_NAT_SRC-1,
};

/* Net/IPv4/Netfilter/ip_nat_standalone.c */
// Perform source Nat operations on the SKB package sent from the Local Machine
// User rules are controllable and Nat tables, but the rules only process the new package, and the subsequent packages are automatically processed.
{
. Hook = ip_nat_out,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_post_routing,
// The priority is 100.
. Priority = nf_ip_pri_nat_src,
},

/* Net/IPv4/Netfilter/ip_conntrack_standalone.c */
// This Hook Point completes the help for connection tracking for the forwarded SKB package, that is
// Handling of subconnections in multiple connection protocols
// Uncontrollable
{
. Hook = ip_conntrack_help,
. Owner = this_module,
. PF = pf_inet,
// The priority is INT_MAX-2, rather low
. Hooknum = nf_ip_post_routing,
. Priority = nf_ip_pri_conntrack_helper,
},

/* Net/IPv4/Netfilter/ip_nat_standalone.c */
// Adjust the TCP serial number of the SKB packet sent from the local machine, mainly because of tracking the multi-connection protocol
// Modifying the data packet content may cause the packet length to change. The corresponding serial number and confirmation number are required.
// Automatic Adjustment
// User rules are uncontrollable
{
. Hook = ip_nat_adjust,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_post_routing,
// The priority is INR_MAX-1, rather low
. Priority = nf_ip_pri_nat_seq_adjust,
},

/* Net/IPv4/Netfilter/ip_conntrack_standalone.c */
// The Hook Point enters the SKB package of the Local Machine to complete the final confirmation, and only processes the new package
// Confirm that new connection information does not exist in the current connection table
// Uncontrollable
{
. Hook = ip_confirm,
. Owner = this_module,
. PF = pf_inet,
. Hooknum = nf_ip_post_routing,
// The priority is int_max, which is the lowest
. Priority = nf_ip_pri_conntrack_confirm,
},

3. Conclusion

It can be seen that even if the kernel does not support bridge, ipvs, and sched, a forwarding packet will be processed by 12 processing points when it passes through netfilter. Any rejection will discard the packet, the control and processing functions of each point can be set in height, just like the steps in the pipeline. If you can use a multi-core processor to run a single core for the point of resource comparison, the processing results of each core will be streamlined, and the system efficiency will certainly be improved, unfortunately, this kind of AMP processing is still "Mission Impossible". The current SMP processing method will only make the netfilter architecture inefficient. When can I remove "im.