Introduction to the relationship between various hooks of Netfilter (the function call process has been summarized in the notes)

ArticleDirectory

• Relationship between various netfilter hooks

Relationship between various netfilter hooks

Recently, my friends have been asking more and more questions about the network kernel. I have analyzed the problem twice before. 2 networkSource codeAnd has some knowledge about BSD. But I also noticed that because of 2. 4. Better support for SMP and firewall rewriteCodeTherefore, the IP layer of the network source code changes significantly. At the invitation of a netizen xumei_bit from Beijing University of Technology, I helped him/her analyze the firewall section. Therefore, we can take this opportunity to share our notebook with you.

First, let's talk about the relationship between several hooks of Netfilter. Currently, there are a total of five hooks: prerouting postrouting input forward Output. and 2. Compared with ipchains of 2, prterouting and postrouting are added, and their appearance is related to Nat support.

assume that an IP group is added to the physical network. This group is received by the ip_rcv function. The last macro of this function gives control to the prerouting rule chain for processing. If the group is not filtered, The ip_rcv_finish () function queries the route table and determines whether the group is sent to a local machine or forwarded to another network.
if it is sent to a local machine, ip_local_deliver () is called (). This function calls the firewall macro at the end to process the input rule chain. After the processing is completed, it is handed over to the transport layer until the user process in the application layer.
for forwarding, in ip_rcv_finish (), the route table function ip_route_input () is called and the control is handed over to ip_forward (). This function executes the rules in the forward rule chain through the firewall macro. Finally, the ip_forward_finish () function calls ip_send () to send packets. However, before being sent, the rules in postrouting will be executed through the firewall macro, and the group will be handed over to the driver Program to the physical network.
there is another hook, output .. When the local machine sends a group, the output rule will be processed before postrouting.