Archive for March, 2003

Netfilter arch in IPv4

Posted on March 6, 2003. Filed under: Linux, Services |

Netfilter architecture in IPv4

A Packet Traversing the Netfilter System:

                 |            ^
                 |            |
                 |         [ROUTE]
                 v            |
                [2]          [5]
                 |            ^
                 |            |
                 v            |




Packets come in from the left. After verification of the IP checksum, the packets hit the NF_IP_PRE_ROUTING [1] hook.

Next they enter the routing code, which decides if the packets are local or have to be passed to another interface.

If the packets are considered to be local, they traverse th NF_IP_LOCAL_IN [2] hook and get passed to the process (if any) afterwards.

If the packets are routed to another interface, they pass the NF_IP_FORWARD [3] hook.

The packet passes a final netfilter hook, NF_IP_POST_ROUTING [4], before they get transmitted on the target interface.

The NF_IP_LOCAL_OUT [5] hook is called for locally generated packets. Here You can see that routing occurs after this hook is called: in fact, the routing code is called first (to figure out the source IP address and some IP options), and called again if the packet is altered.

Locally generated packets hit NF_IP_POST_ROUTING [4], too.


Kernel modules can register a callback function for each one of these hooks. This callback function is called for each packet traversing the hook. The module is free to alter the packet. It has to return netfilter one of these constants:


  • NF_ACCEPT continue traversal as normal
  • NF_DROP drop the packet; do not continue traversal
  • NF_STOLEN I’ve taken over the packet; do not continue traversal
  • NF_QUEUE queue the packet (usually for userspace handling)
  • NF_REPEAT call this hook again
Read Full Post | Make a Comment ( None so far )

Liked it here?
Why not try sites on the blogroll...