Activating the Hook Functions

Each hook function returns one of the following values:

□ nf_accept accepts a packet. This means that the routine in question has made no changes to the data. The kernel continues to use the unmodified packet and lets it run through the remaining layers of the network implementation (or through subsequent hooks).

□ nf_stolen specifies that the hook function has "stolen" a packet and will deal with it. As of this point, the packet no longer concerns the kernel, and it is not necessary to call any further hooks. Further processing by other protocol layers must also be suppressed.

□ nf_drop instructs the kernel to discard the packet. As with nf_stolen, no further processing by other hooks or in the network layer takes place. Memory space occupied by the socket buffer (and therefore by the packet) is released because the data it contains can be discarded — for example, packets regarded as corrupted by a hook.

□ nf_queue places the packet on a wait queue so that its data can be processed by userspace code. No other hook functions are executed.

□ nf_repeat calls the hook again.

Ultimately, packets are not further processed in the network layer unless all hook functions return nf_accept (nf_repeat is never the final result). All other packets are either discarded or processed by the netfilter subsystem itself.

The kernel provides a collection of hook functions so that separate hook functions need not be defined for every occasion. These are known as iptables and are used for the high-level processing of packets. They are configured using the iptables userspace tool, which is not discussed here.

Continue reading here: Pv6

Was this article helpful?

0 0