Linux Netfilter Revisit
The netfilter architecture in Linux kernel 2.4 and above makes packet filtering in kernel IP stack much easier: what you need to do is implementing your "hooks" and placing it into specific places in the kernel stack. Below is picture in Paul "Rusty" Russell's 2000 Linux Journal article "Writing Modules for Netfilter".
Note that connection tracking is done in PRE_ROUTE and LOCAL_OUT, while NAT is done in PRE_ROUTE (destination NAT, such as port forwarding, for incoming connections), LOCAL_OUT (destination NAT), and POST_ROUTE (source NAT including masquerading for outgoing connections).
A very nice figure of 2.4 kernel IP handling is here
Note that connection tracking is done in PRE_ROUTE and LOCAL_OUT, while NAT is done in PRE_ROUTE (destination NAT, such as port forwarding, for incoming connections), LOCAL_OUT (destination NAT), and POST_ROUTE (source NAT including masquerading for outgoing connections).
A very nice figure of 2.4 kernel IP handling is here
posted by Pei Zheng at 5:38 PM
0 Comments:
Post a Comment
<< Home