Chinaunix首页 | 论坛 | 博客
  • 博客访问: 607341
  • 博文数量: 150
  • 博客积分: 1132
  • 博客等级: 少尉
  • 技术积分: 2067
  • 用 户 组: 普通用户
  • 注册时间: 2012-04-11 16:46
文章分类

全部博文(150)

文章存档

2015年(15)

2014年(75)

2013年(4)

2012年(56)

分类: LINUX

2012-07-26 17:59:25

For those of you who are not familiar with netfilter, all I can say is that it is actually a framework for packet mangling,outside the normal Berkeley socket interface. It's the engine behind iptables -- the popular firewall solution for Linux. It has four parts.

Firstly, each protocol defines "hooks"(IPv4 defines 5) which are well-defined points in a packet's traversal of the protocol stack.At each of these points, the protocol will call the netfilter framework with the packet and the hook number.

Secondly, parts of the kernel can register to listen to the different hooks for each protocol. So when a packet is passed to the netfilter framework, it checks to see if anyone has registered for that protocol and hook;if so,
they each get chance to examine(and possibly alter) the packet in order, then discard the packet (NF_DROP), allow it to pass (NF_ACCEPT), tell netfilter to forget about the packet (NF_STOLEN), or ask netfilter to queue
the packet for userspace (NF_QUEUE).

The third part is that packets that have been queued are collected (by the ip_queue driver) for sending to userspace; these packets are handled
asynchronously.
阅读(644) | 评论(0) | 转发(0) |
0

上一篇:结构体中的位定义

下一篇:万事开头难

给主人留下些什么吧!~~