Introduction to Linux kernel engineering-Network: Netfilter Overview

Introduction to Linux kernel engineering-Network: Netfilter Overview
Introduction

The earliest kernel package filtering mechanism was ipfwadm, followed by ipchains, and then iptables/netfilter. Next, it is now nftables. However, nftables and iptables are still in the competitive stage, and there is no final conclusion on who can win. However, they all belong to the submembers of the netfilter project.

Hook

Netfilter is based on hooks. The hooks of netfilter are fixed in the kernel network protocol stack. We know that there are two types of data packets, one is sent to the local machine: Driver receiving -- "route table --" Local protocol stack -- "driver. One is to forward the message to others: Drive receiving -- "route table --" forward -- "drive sending. For these key locations, netfilter defines several hooks: NF_IP_PRE_ROUTING is used before querying the route table. NF_IP_LOCAL_IN is used to check the route table and decide to send the data to the local machine. When NF_IP_FORWARD is used to query the route table, NF_IP_POST_ROUTING is the data generated by the local machine before being sent to the driver. By registering functions in these hook locations, you can filter and convert data packets by truncating the flow of data packets. You must know that the forwarding function is generally only enabled on the vro. Generally, if a PC finds that it is not its own data packet, it will directly discard it. Therefore, General PCs can use four hooks: NF_IP_PRE_ROUTING, NF_IP_LOCAL_IN, NF_IP_LOCAL_OUT, and NF_IP_POST_ROUTING. You can see that all the hooks are at the IP layer. However, these hooks can not only process data at the IP layer, because the complete data packets can be obtained at the IP layer, so you can handle any layer.

Iptables is not registered on the hook function, but its location is consistent. Is a subsidiary function of the netfilter framework, which is composed of table, chain, and rule.

Netfilter provides several important functions to facilitate use of iptables or nftables. The caching function can have a cache. by querying a location of a data packet, it is determined that the data packet will not pass the following filter rules.

User space uses iptablestable, chain, and rule

Chain and rule are concepts created by iptables. We know that you can execute the specified function call in the hooks. By default, the iptables system implements several calls and uses a unified data structure to organize the call form. The organizational structure is table, chain, and rule.

Multiple tables can be defined at any hook point. One table has multiple chains, and multiple rule can be defined in each chain. Remember that table and chain are only containers, and the rule in them is the rule that actually works. Theoretically, we can filter, nat, and modify data packets at any hook point. However, for the sake of unified architecture, iptables defines several tables in sequence at each hook point, each table is used to complete a class of work. Predefined tables include filter, nat, and mangle. Each table represents a function rather than a location. A table contains multiple chains, each of which is located at a specific location.

Is a table and chain graph that has been defined internally:

Https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg

FILTER: PREROUTING, FORWARD, POSTROUTING

NAT: PREROUTING, INPUT, OUTPUT, POSTROUTING

MANGLE: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

As you can see, the predefined three tables represent three different functions. Each table defines a chain in some hook points. In this way, when a user wants to do something at a hook point, he can locate table (function) -- "chain -- rule (behavior) to complete the packet operation.

The format of each rule is the same, including the source IP address, destination IP address, upper-layer protocol, interface, and operation (target ). However, not every domain is available for every chain. For example, matching the output interface in the INPUT field will never match. Therefore, the effective rule varies on different chains.

 

Iptables is a scalable software. Its support for common protocols such as TCP and UDP is extended, and the iptables ontology only supports the ip layer, you only need to use the corresponding options to automatically use the extension. Some extensions are not Protocol extensions. These extensions are generally called through iptables-m. For example, iptables-m mac can be used to match the mac address. -M limit can be used to limit the number of matches per second. If the limit is exceeded, it is allowed. These extensions include:

L xt_mac.ko: match the mac address

L xt_limit.ko

L xt_owner.ko: Used to match data packets created by a process or user.

L xt_state.ko: Used to match data packets in a certain connection status (such as NEW, ESTABLLISHED, RELATED)

L xt_pkttype.ko: Used to match packets based on multicast, broadcast, or unicast.

L xt_quota.ko: You can set quota for a rule. When quota is reached, the rule becomes invalid.

L xt_recent.ko: allows you to set an IP address list, which does not take effect for users in subsequent IP addresses.

L xt_string.ko: allows you to match a string in a data packet.

L xt_time.ko: allows you to match data packets based on their arrival time and departure time.

L xt_u32.ko: checks whether the four bits of the data packet are consistent with the required four bits.

There are also many target extensions, conntrack extensions, and ipv6 extensions. You can perform matching based on the application type, and modify data bits such as ttl and TOS. All functions that can be basically used have corresponding extensions.

The operation (target) can also be expanded. Common default operations include ACCEPT and DROP, and also include LOG and REJECT, which can be implemented by users themselves. There are also two default values: QUEUE and RETURN. RETURN implements the function call between rules, while QUEUE implements the queuing of data packets. These operations also correspond to specific modules: nft_queue.ko, nft_reject.ko, xt_LOG.ko, and nft_log.ko.

Bpf

You can add rules and code to a user space. This is implemented through the xt_bpf module. Iptables-m bpf-bytecode is followed by the specific code, from the program compiled into code to the tool/net of the Linux kernel.

The kernel module uses netfilter

But the user space can add rules to iptables, which makes the kernel module more powerful in adding rules. Because it has the encoding capability, it can not only discard a packet, but also return NF_STOLEN, so that this packet will stop sending to the protocol stack, this module will process the subsequent process of this data packet.

It should be noted that the netfilter name refers to the kernel data packet filtering architecture, while iptables is the table, chain, and rule design. In the kernel, the netfilter hook is generally used instead of iptables rules.