1 / 6

NETFILTER

NETFILTER. Reading: Chapter 19. Device driver (input). Device driver (output). CRC Check Consistency check. NF_IP_PRE_ROUTING. NF_IP_POST_ROUTING. Forwarded packets. Routing. NF_IP_FORWARD (iptables: FORWARD). Routing. NF_IP_LOCAL_IN (iptables: INPUT). NF_IP_LOCAL_OUT

pennie
Download Presentation

NETFILTER

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NETFILTER Reading: Chapter 19 FSU CIS 5930 Internet Protocols

  2. Device driver (input) Device driver (output) CRC Check Consistency check NF_IP_PRE_ROUTING NF_IP_POST_ROUTING Forwarded packets Routing NF_IP_FORWARD (iptables: FORWARD) Routing NF_IP_LOCAL_IN (iptables: INPUT) NF_IP_LOCAL_OUT (iptables: OUTPUT) Higher layers Local processes Incoming packets Outgoing packets NETFILTER FSU CIS 5930 Internet Protocols

  3. NETFILTER hooks • A means to insert packet filter code at well-defined locations • NF_IP_PRE_ROUTING • NF_IP_LOCAL_IN • NF_IP_FORWARD • NF_IP_LOCAL_OUT • NF_IP_POST_ROUTING FSU CIS 5930 Internet Protocols

  4. NF_HOOK() #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (list_empty(&nf_hooks[(pf)][(hook)]) ? (okfn)(skb) : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn))) One example: return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, output_maybe_reroute); FSU CIS 5930 Internet Protocols

  5. Register/unregister hook functions • Template of hook functions • nf_register_hook() • nf_unregister_hook() typedef unsigned int nf_hookfn(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)); FSU CIS 5930 Internet Protocols

  6. struct nf_hook_ops Struct nf_hook_ops { struct list_head list; nf_hookfn *hook; int pf; int hooknum; int priority; }; FSU CIS 5930 Internet Protocols

More Related