Netfilter's relationship with each HOOK
Recently, the buddies have gradually increased the problem of nuclear nuclear inside the network. I have analyzed the network source code of 2.2 and I have aware of BSD. But I also noticed that due to the better support for SMP and rewriting the firewall section, the network source IP layer has changed. I helped him (she) to analyze the firewall portion under the invitation of XUMEI_BIT netizen. Therefore, it is also possible to take this opportunity to share your own homes with everyone. First, let's talk about several hooks of Netfilter. There are currently 5 hook: preording postrouting input forward output. Compared with 2.2 Ipchains, more prTerOuting and postRouting, their appearance is related to NAT support. Now, it is assumed that a physical network came up with an IP group. This packet has an IP_RCV function to receive, and the last macro will hand over control over the preloading rule chain. If the packet is not filtered, the IP_RCV_FINISH () function checks the routing table, and the determination group is sent to the local machine or forward to another network. If it is sent to a local machine, ip_local_deliver () is called. This function is finally called the firewall macro to process the Input rule chain. After processing, give the transport layer until the user process in the application layer. If it is forwarded, in IP_RCV_FINISH (), the route table function ip_route_input () will be transferred to ip_forward (). This function will execute the rules in the Forward rule chain through the firewall macro. Finally, the ip_forward_finish () function is responsible for calling ip_send () to issue the packet. However, the rules in PostRouting will be performed through the firewall macro before sending out, and then the packet is given to the driver to the physical network. There is still a hook now, Output .. When the local machine wants to send a packet, it will now handle the Output rule before postrouting.
