Extending Network Functionality
In brief, the netfilter framework adds the following capabilities to the kernel:
□ Packet filtering for different flow directions (incoming, outgoing, forwarded) depending on state and other criteria.
□ Network address translation (NAT) to convert source and destination addresses in accordance with certain rules. NAT can be used, for example, to implement shared Internet connections where several computers that are not attached directly to the Internet share an Internet access (this is often referred to as masquerading or transparent proxy).
□ Packet mangling and manipulation, the splitting and modification of packets according to specific rules.
Netfilter functionality can be enhanced by modules loaded into the kernel at run time. A defined rule set informs the kernel when to use the code from the individual modules. The interface between the kernel and netfilter is kept very small to separate the two areas from each other as well as possible (and as little as necessary) in order to prevent mutual interference and improve the network code stability.
As frequently mentioned in the preceding sections, netfilter hooks are located at various points in the kernel to support the execution of netfilter code. These are provided not only for IPv4 but also for IPv6 and the DECNET protocol. Only IPv4 is discussed here, but the concepts apply equally to the other two protocols.
Netfilter implementation is divided into two areas:
□ Hooks in the kernel code are used to call netfilter code and are at the heart of the network implementation.
□ Netfilter modules whose code is called from within the hooks but that are otherwise independent of the remaining network code. A set of standard modules provides frequently needed functions, but user-specific functions can be defined in extension modules.
Iptables used by administrators to configure firewall, packet filter, and similar functions are simply modules that build on the netfilter framework and provide a comprehensive, well-defined set of library functions to facilitate packet handling. I won't bother describing how the rules are activated and managed from within userspace; see the abundance of literature on network administration.
Continue reading here: Calling Hook Functions
Was this article helpful?