0

As I understand, Linux kernel has five hook points for IPv4 packet flow defined in netfilter_ipv4.h file:

/* IP Hooks */
/* After promisc drops, checksum checks. */
#define NF_IP_PRE_ROUTING   0
/* If the packet is destined for this box. */
#define NF_IP_LOCAL_IN      1
/* If the packet is destined for another interface. */
#define NF_IP_FORWARD       2
/* Packets coming from a local process. */
#define NF_IP_LOCAL_OUT     3
/* Packets about to hit the wire. */
#define NF_IP_POST_ROUTING  4

..and according to netfilter_ipv6.h same seems to be true for IPv6:

/* IP6 Hooks */
/* After promisc drops, checksum checks. */
#define NF_IP6_PRE_ROUTING  0
/* If the packet is destined for this box. */
#define NF_IP6_LOCAL_IN     1
/* If the packet is destined for another interface. */
#define NF_IP6_FORWARD      2
/* Packets coming from a local process. */
#define NF_IP6_LOCAL_OUT        3
/* Packets about to hit the wire. */
#define NF_IP6_POST_ROUTING 4

This makes me wonder that is it correct to think of netfilter/iptables architecture in a way that chains define the place where operations happen and tables determine which operations can be done? In addition, do tables matter for kernel as well or are they simply meant for iptables users to group types of processing which can occur?

Martin
  • 7,516

1 Answers1

3

The key is that tables are grouping things by design intention. All your rules intended for filtering are in this place, all your NAT rules over there. Chains are sequences of rules, and the default chains are traversed at specific points in the path of a packet.

In theory, you could add a rule that does filtering to, say, the NAT table. But the front end prevents you from doing this, with a message like

The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.

The way I think of it is that it's really about chains, and the tables are a bit of an afterthought to help you organize them. It is confusing because it's ad-hoc, historically grown user interface design.

d.hoeffer
  • 166