![]() hook trigger pointsįor different protocols (IPv4, IPv6 or ARP, etc.), the Linux kernel network stack triggers the corresponding hooks at predefined locations along the packet processing path of the protocol stack. The primary component of netfilter is netfilter hooks. The processing flow at the transport layer is beyond the scope of this article and is actually much more complex. If the socket is unlocked, the packet will enter the prequeue queue by calling the tcp_prequeue function, after which the packet will be available for processing by the user program in the user state. The function next calls _tcp_v4_lookup to look up the socket corresponding to the packet, and if it does not find it or if the socket’s connection status is TCP_TIME_WAIT, the packet is discarded. The tcp_v4_rcv function also reads the TCP header of the packet and calculates the checksum, and then maintains some necessary state in the TCP control buffer corresponding to the packet, including the TCP sequence number and SACK number. In this example, the tcp_v4_rcv function for TCP protocol will be called, and then the packet processing will enter the transport layer. The ip_local_deliver function will determine the protocol type of the packet based on the protocol number in the IP header, and finally call the packet processing function of the corresponding type. Assuming the destination of the packet is this host, the next dst_input function will call the ip_local_deliver function. The ip_rcv_finish function is then executed to route the packet and decide whether to deliver the packet locally or forward it to another host. ip_rcv checks the IP initials of the packet and discards the erroneous packets, and aggregates the sliced IP packets if necessary. This is shown in the following figure.Īssuming the packet is an IP protocol packet, the corresponding receive packet processing function ip_rcv is called and the packet processing enters the network (IP) layer. The packets can be considered as sk_buffer), and finally the netif_receive_skb function is called to sort the packets by protocol type and jump to the corresponding processing function. After a series of interrupts and scheduling, the OS kernel calls _skb_dequeue to add the packet to the processing queue of the corresponding device and converts it into a sk_buffer type (i.e., socket buffer - the _skb_dequeue). the chain of kernel code calls for processing network packets, can be broadly divided into multiple layers according to the TCP/IP model, taking the reception of an IPv4 tcp packet as an example.Īt the physical-network device layer, the NIC writes the received packet to a ring buffer in memory via DMA. The packet processing path in the kernel, i.e. In order to thoroughly understand how netfilter works, we first need to establish a basic understanding of the packet processing path in the Linux kernel. The definition of netfilter is a network packet processing framework that works in the Linux kernel. This article assumes that the reader already has a basic understanding of the TCP/IP protocol. This article mainly refers to the Linux kernel code version 2.6 (earlier versions are simpler), which may differ significantly from the latest version 5.x, but the basic design has not changed much and does not affect the understanding of its principles. Most of the introductory articles on netfilter describe only abstract concepts, but the basic implementation of the kernel code is not too complicated. ![]() ![]() Many common host firewall applications as well as Kubernetes service forwarding are implemented with iptables. Netfilter (in conjunction with iptables) enables user-space applications to register the processing rules applied by the kernel network stack when processing packets, enabling efficient network forwarding and filtering.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |