The Linux netfilter is a framework in the kernel
that allows modules to observe and modify packets as they pass
through the protocol stack.
Each protocol family (IPv4 / IPv6) provides
several processing points in the stack where a packet of that
protocol is passed to a filter. These points are referred to as hook
points or hook types. Kernel modules can register custom
hooks/filters referring by protocol family and by the point in packet
processing at which the filter is to be invoked.
There are 5 hook types defined for the IPV4
protocol as shown in below figure (marked in yellow color) at five
different stages.
|
S.No.
|
Hook Type
|
Processing Point
|
|
1
|
PreRoute
|
Packets that comes in after passing the
checksum checks
|
|
2
|
LocaIIn
|
If the packet is destined for this Machine
|
|
3
|
Forwarding
|
If the packet is destined for another interface
|
|
4
|
LocalOut
|
Packets coming from a local process
|
|
5
|
PostRoute
|
Packets about to hit the wire
|
-
An ingress packet for which DNAT and SNAT is not required shall take the below path
IngressNetfilterKernelModuleRoutingDecisionLocalIn
2. An egress packet that is generated by the
machine shall follow the below path
LocalOutPostRouteNetfilterKernelModulePostRouteEgress.
No comments:
Post a Comment