blog:linux:nftables_packet_flow_netfilter_hooks_detail
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
blog:linux:nftables_packet_flow_netfilter_hooks_detail [2021-04-10] – tiny cosmetics Andrej Stender | blog:linux:nftables_packet_flow_netfilter_hooks_detail [2022-08-07] (current) – activated TOC Andrej Stender | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | {{tag> | + | {{tag> |
====== Nftables - Packet flow and Netfilter hooks in detail ====== | ====== Nftables - Packet flow and Netfilter hooks in detail ====== | ||
~~META: | ~~META: | ||
date created = 2020-05-17 | date created = 2020-05-17 | ||
~~ | ~~ | ||
- | |||
- | ~~NOTOC~~ | ||
If you are using // | If you are using // | ||
Line 12: | Line 10: | ||
provide example configurations. | provide example configurations. | ||
However, if you are working on a little bit more complex stuff like writing | However, if you are working on a little bit more complex stuff like writing | ||
- | // | + | // |
and doing NAT, or other of the "more interesting" | and doing NAT, or other of the "more interesting" | ||
to get a little more tricky. | to get a little more tricky. | ||
Line 49: | Line 47: | ||
</ | </ | ||
- | However, what this image shows you is the packet flow though the //Netfilter hooks// and thereby the packet flow through the //tables// and //chains// like they existed in old // | + | However, what this image shows you is the packet flow though the //Netfilter hooks// and thereby the packet flow through the //tables// and //chains// like they existed in old // |
===== Netfilter ===== | ===== Netfilter ===== | ||
Line 88: | Line 86: | ||
- | ==== Register | + | ==== Register |
- | As already mentioned, the idea of the hooks is to give other kernel components the opportunity to register // | + | As already mentioned, the idea of the hooks is to give other kernel components the opportunity to register // |
<figure nfhookregister> | <figure nfhookregister> | ||
{{ : | {{ : | ||
- | < | + | < |
</ | </ | ||
- | Several callback functions can be registered with the same hook. // | + | Several callback functions can be registered with the same hook. // |
- | implemented as an instance of '' | + | In most other documentation on the Internet as well as in discussions among the Netfilter developer community, those registered callback functions are usually referred to as "hook functions" |
==== Priority ==== | ==== Priority ==== | ||
- | The sequence of callbacks | + | The sequence of hook functions |
<figure nfipv4hookpriorities> | <figure nfipv4hookpriorities> | ||
Line 123: | Line 121: | ||
</ | </ | ||
< | < | ||
- | Source code extract from '' | + | Source code extract from '' |
</ | </ | ||
- | I go into such detail here, because this enum shows you the discrete // | + | I go into such detail here, because this enum shows you the discrete // |
==== Hard-coded vs. Flexibility ==== | ==== Hard-coded vs. Flexibility ==== | ||
- | The //Netfilter// hooks themselves are hard-coded into the Linux kernel network stack. You'll find them in the source code if you search for function calls named '' | + | The Netfilter hooks themselves are hard-coded into the Linux kernel network stack. You'll find them in the source code if you search for function calls named '' |
- | runtime and why those callbacks | + | |
- For once this kind of flexibility during runtime is an essential basic requirement in a kernel where many components (also // | - For once this kind of flexibility during runtime is an essential basic requirement in a kernel where many components (also // | ||
- | - Performance is a crucial issue. Every network packet needs to traverse all callbacks | + | - Performance is a crucial issue. Every network packet needs to traverse all hook functions |
==== Hook traversal and verdict ==== | ==== Hook traversal and verdict ==== | ||
- | Now let's take a more detailed look on how the callbacks | + | Now let's take a more detailed look on how the hook functions |
- | For each network packet which traverses this hook, the callback | + | For each network packet which traverses this hook, the hook functions are being called one by one |
in the sequence/ | in the sequence/ | ||
the // | the // | ||
Line 144: | Line 140: | ||
<figure nfhookentriesflow> | <figure nfhookentriesflow> | ||
{{ : | {{ : | ||
- | < | + | < |
</ | </ | ||
- | Network packets are represented within the Linux kernel as instances | + | Network packets are represented within the Linux kernel as instances of '' |
- | of '' | + | |
===== Iptables ===== | ===== Iptables ===== | ||
- | To put things into context, let's take a short look at // | + | To put things into context, let's take a short look at // |
- | // | + | |
- | In case of // | + | In case of // |
^ table ^ contains chains ^ command to show that ^ | ^ table ^ contains chains ^ command to show that ^ | ||
Line 186: | Line 179: | ||
===== Connection tracking ===== | ===== Connection tracking ===== | ||
- | As you can see in Figure {{ref> | + | As you can see in Figure {{ref> |
- | There is much more to tell about // | + | |
- | I elaborate on the topic // | + | |
===== Nftables ===== | ===== Nftables ===== | ||
In general // | In general // | ||
However, in contrast to // | However, in contrast to // | ||
- | // | + | // |
A //regular chain// is not registered with any hook (//regular chains// are not covered in this article)((The //regular chains// represent the same feature as I already mentioned for // | A //regular chain// is not registered with any hook (//regular chains// are not covered in this article)((The //regular chains// represent the same feature as I already mentioned for // | ||
- | Thus, the user is not forced to name the //base chains// like the hooks they will be registered with. This obviously offers more freedom and flexibility, | + | Thus, the user is not forced to name the //base chains// like the Netfilter |
==== Address Families ==== | ==== Address Families ==== | ||
Line 235: | Line 225: | ||
| '' | | '' | ||
| '' | | '' | ||
- | | conntrack((As you can guess, this is NOT one of the placeholder names you can use. I added it here as a reminder which // | + | | conntrack((As you can guess, this is NOT one of the placeholder names you can use. I added it here as a reminder which // |
| '' | | '' | ||
| '' | | '' | ||
Line 264: | Line 254: | ||
</ | </ | ||
- | But what actually happens when you register two //base chains// with the same hook | + | But what actually happens when you register two //base chains// with the same hook which both have the same // |
- | which both have the same // | + | |
- | In case of the following example, function '' | + | |
- | first called for //chain1// and then for //chain2//. | + | |
<code bash> | <code bash> | ||
Line 277: | Line 264: | ||
'' | '' | ||
// | // | ||
- | (in front of) //chain1// in the array of callbacks | + | (in front of) //chain1// in the array of hook functions |
network packets then traverse //chain2// BEFORE //chain1//. This means here | network packets then traverse //chain2// BEFORE //chain1//. This means here | ||
the sequence/ | the sequence/ | ||
Line 316: | Line 303: | ||
+ | ==== List hook functions (coming soon) ==== | ||
+ | Nftables developers in July 2021 announced a new feature, which will | ||
+ | likely be included in the next version of Nftables to be released; | ||
+ | see [[http:// | ||
+ | registered with a specified Netfilter hook together with their assigned | ||
+ | priorities. If you e.g. like to list all hook functions currently registered with the Netfilter | ||
+ | IPv4 Prerouting hook, the syntax to do that will probably be something like | ||
+ | '' | ||
===== Context ===== | ===== Context ===== | ||
The described behavior and implementation has been observed on a | The described behavior and implementation has been observed on a | ||
Line 327: | Line 322: | ||
===== Feedback ===== | ===== Feedback ===== | ||
[[: | [[: | ||
+ | |||
+ | |||
+ | //published 2020-05-17//, | ||
blog/linux/nftables_packet_flow_netfilter_hooks_detail.txt · Last modified: 2022-08-07 by Andrej Stender