1. "That is to say, the rest of the packages will not be automatically completed through this table, but will be Nat one by one. This is the main reason why we should not perform any filtering in this table. "This section shows that we cannot filter in Nat rules because of the Linux Link Tracking Mechanism, only the first packet of each stream goes through the NAT table and the matching rules are set to the data structure of the connection trace, the next packet is the result of directly retrieving the Connection Tracing data structure, instead of going through the NAT table. If filtering is performed in the NAT, only the first packet will match the rule, the backend cannot be matched. Maybe you will ask, can the backend of the first package fail? In fact, let's just give two simple examples: first, UDP packet, second, the first packet of TCP packet, and then set Nat filter rules.
2. Why does DNAT have a hook in the output chain. A dnat router divides all the hosts in the world into three categories. The first category is the host on the one side of its Nic port, the second category is the host on the other side of its Nic port, and the third category is its own. All non-self-sent requests will pass through the pre-routing chain and then be forward, while DNAT is made on the pre-routing, but for self-sent requests, therefore, the output chain does not pass through the pre-routing chain. Therefore, DNAT must be performed on the output chain.
3. reject target is a very nice target, because it avoids the busy time at the source end when the request is dropped by the Intermediate router after the connection is sent, however, there are only a few types of notifications, namely TCP-reset and ICMP. Check if there is any problem. TCP-Reset cannot be used for UDP, and ICMP may be discarded on the way to the source host.
4. Queue target is a very interesting target, which can decide how to handle this data packet in the user space.
5. Masquerade target selects the source IP address according to certain policies in the kernel. This is indeed a "certain policy", and the implementation of the kernel is very different. Therefore, pay attention to it.
6. The Dead Gateway Detection Mechanism of Windows is a mechanism of slope. First, the algorithm of this mechanism is silly. Second, if you do not set it yourself, why should the system help you set it? Most of the time, you will find that a static route is configured on windows, but when the next hop of the static route is not reachable, use Route print to view it, the route was inexplicably changed, And the next hop was changed...
7. pf_packet is directly provided on Unix. It not only captures packets, but also allows you to completely bypass the TCP/IP protocol stack, including routing and netfilter, and directly send data to the network card. Everything works, you can customize the protocol.
8. Why does the bridge filter the hooks at the IP layer? This is because Linux Hosts are often configured with both bridges and routers. Linux bridges can filter layer-2 Data Based on layer-3 information.
9. there is a problem with the NAT module in the kernel before Linux 2.6.10. First, the verification code will be invalid in the ultimate hook function ip_nat_fn, which is unnecessary because many packets do not perform Nat at all, it's just a bit of a pass, so the best way is to simply perform the invalidation checksum operation for the people who really need Nat. In any case, although this is a defect, the biggest drawback is that it is not clean. In the function with the invalid verification code, if there are more than one SKB user, then a copy of SKB will be copied and transmitted, but Tso information is not copied during the copy, in this way, the system will misjudge whether to perform segmentation after netfilter. skb_shinfo (SKB)-> tso_size is 0:
If (SKB-> Len> dst_pmtu (SKB-> DST) | skb_shinfo (SKB)-> frag_list )&&! Skb_shinfo (SKB)-> tso_size)
Return ip_fragment (SKB, ip_finish_output );
Therefore, even if the network adapter has the TSO capability, it will segment, especially when the application sets MTU to discover and the SKB length exceeds MTU, it will also send an ICMP Error Report, this greatly delays the application response time. Fortunately, this problem was fixed after 2.6.10. After 2.6.1x (x> 8), the check code will no longer expire for those who do not need Nat .... Alas... I found the problem independently, but it was a little late to solve the problem. I was satisfied with my ability, but the speed was not fast enough!