For those of you who are not familiar with netfilter, all I can say is that it is actually a framework for packet mangling,outside the normal Berkeley socket interface. It's the engine behind iptables -- the popular firewall solution for Linux. It has four parts.
Firstly, each protocol defines "hooks"(IPv4 defines 5) which are well-defined points in a packet's traversal of the protocol stack.At each of these points, the protocol will call the netfilter framework with the packet and the hook number.
Secondly, parts of the kernel can register to listen to the different hooks for each protocol. So when a packet is passed to the netfilter framework, it checks to see if anyone has registered for that protocol and hook;if so,
they each get chance to examine(and possibly alter) the packet in order, then discard the packet (NF_DROP), allow it to pass (NF_ACCEPT), tell netfilter to forget about the packet (NF_STOLEN), or ask netfilter to queue
the packet for userspace (NF_QUEUE).
The third part is that packets that have been queued are collected (by the ip_queue driver) for sending to userspace; these packets are handled
asynchronously.
阅读(644) | 评论(0) | 转发(0) |