-
Notifications
You must be signed in to change notification settings - Fork 51
Kernel Packet Traveling Diagram
MihaiC edited this page Jan 15, 2020
·
1 revision
Network
-----------+-----------
|
+--------------------------+
+-------+-------+ +---------+---------+
| IPCHAINS | | IPTABLES |
| INPUT | | PREROUTING |
+-------+-------+ | +-------+-------+ |
| | | conntrack | |
| | +-------+-------+ |
| | | mangle | | <- MARK WRITE
| | +-------+-------+ |
| | | IMQ | |
| | +-------+-------+ |
| | | nat | | <- DEST REWRITE
| | +-------+-------+ | DNAT or REDIRECT or DE-MASQUERADE
| +---------+---------+
+------------+-------------+
|
+-------+-------+
| TC/QOS |
| INGRESS |
+-------+-------+
|
packet is for +-------+-------+ packet is for
this machine | TC/INPUT | another address
+--------------+ ROUTING +--------------+
| | + PDBB | |
| +---------------+ |
+-------+-------+ |
| IPTABLES | |
| INPUT | |
| +-----+-----+ | |
| | mangle | | |
| +-----+-----+ | |
| | filter | | |
| +-----+-----+ | |
+-------+-------+ |
| +---------------------------+
+-------+-------+ | |
| Local | +-------+-------+ +-------+-------+
| Process | | IPCHAINS | | IPTABLES |
+-------+-------+ | FORWARD | | FORWARD |
| +-------+-------+ | +-----+-----+ |
+-------+-------+ | | | mangle | | <- MARK WRITE
| TC/OUTPUT | | | +-----+-----+ |
| ROUTING | | | | filter | |
+-------+-------+ | | +-----+-----+ |
| | +-------+-------+
+-------+-------+ | |
| IPTABLES | +---------------------------+
| OUTPUT | |
| +-----------+ | |
| | conntrack | | |
| +-----+-----+ | |
| | mangle | | <- MARK WRITE |
| +-----+-----+ | |
| | nat | | <-DEST REWRITE |
| +-----+-----+ | DNAT or REDIRECT |
| | filter | | |
| +-----+-----+ | |
+-------+-------+ |
| |
+----------------------+----------------------+
|
+------------+------------+
| |
+-------+-------+ +---------+---------+
| IPCHAINS | | IPTABLES |
| OUTPUT | | POSTROUTING |
+-------+------- | +-------+-------+ |
| | | mangle | | <- MARK WRITE
| | +-------+-------+ |
| | | nat | | <- SOURCE REWRITE
| | +-------+-------+ | SNAT or MASQUERADE
| | | IMQ | |
| | +-------+-------+ |
| +---------+---------+
+------------+------------+
|
+------+------+
| TC/QOS |
| EGRESS |
+------+------+
|
-----------+-----------
Network
- Output routing : the local process selects a source address and a route. This route is attached to the packet and used later.
- Postrouting : there is also rerouting possible if netfilter changes some parts of the packets like address, tos, ... .
- RPDB : routing policy database, controlled by ip. That's also the place where the kernel does source validation and nexthop decision.
- IMQ : Packets put in the imq device travel also thru the "EGRESS" part of the diagram so you can use htb/cbq to control the packets in the imq device.
- ipchains : Yes, there is some ipchains code in kernel 2.4. If you load the ipchains module, you can't use iptables anymore. You can even load the ipfwadm module if you want ipfwadm support. So it's iptables, or ipchains, or ipfwadm, but no combination is possible.
- mangle : since kernel 2.4.18, you have a mangle table in all 5 netfilter hooks.
- IMQ in input comes before nat so IMQ does not know the real ip address. Ingress comes after nat, so ingress knows the real ip address.
- The input routing determines local/forward.
- ip rule (routing policy database RPDB) is input routing, more correctly, part of the input routing.
- The output routing is performed from "higher layer".
- nexthop and output device are determined both from the input and the output routing.
- The forwarding process is called at input routing by functions from specific places in the code. It executes after input routing and does not perform nexthop/outdev selection. It's the process of receiving and sending the same packet, but in the context of all these hooks the code that sends ICMP redirects (demanded from input routing), decrements the IP TTL, performs dumb NAT and calls the filter chain. This code is used only for forwarded packets.
- Sometimes the word "Forwarding" with "big F", is used for referencing both, the routing and forwarding process.
I remove conntrack from POSTROUTING. More info on https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html. See Chapter 7:
"All connection tracking is handled in the PREROUTING chain, except locally generated packets which are handled in the OUTPUT chain. What this means is that iptables will do all recalculation of states and so on within the PREROUTING chain. If we send the initial packet in a stream, the state gets set to NEW within the OUTPUT chain, and when we receive a return packet, the state gets changed in the PREROUTING chain to ESTABLISHED, and so on. If the first packet is not originated by ourself, the NEW state is set within the PREROUTING chain of course. So, all state changes and calculations are done within the PREROUTING and OUTPUT chains of the nat table."