|
http://danieldegraaf.afraid.org/info/networking/linux-netfilter Linux Networking - Netfilter Internals NF_HOOK - macro & inline function, eventually calls net/netfilter/core.c:nf_hook_slow looks in nf_hooks[pf][hook], and uses nf_iterate to determine the verdict. This handles the verdict of NF_QUEUE net/netfilter/core.c:nf_iterate Calls all the hooks for a pf/hook pair, sorted by priority. These hooks are usually registered by ip_table_* modules. Priority list, taken from include/linux/netfileter_ipv4.h NF_IP_PRI_FIRST = INT_MIN, NF_IP_PRI_CONNTRACK_DEFRAG = -400, NF_IP_PRI_RAW = -300, NF_IP_PRI_SELINUX_FIRST = -225, NF_IP_PRI_CONNTRACK = -200, NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175, NF_IP_PRI_MANGLE = -150, NF_IP_PRI_NAT_DST = -100, NF_IP_PRI_BRIDGE_SABOTAGE_LOCAL_OUT = -50, NF_IP_PRI_FILTER = 0, NF_IP_PRI_NAT_SRC = 100, NF_IP_PRI_SELINUX_LAST = 225, NF_IP_PRI_CONNTRACK_HELPER = INT_MAX - 2, NF_IP_PRI_NAT_SEQ_ADJUST = INT_MAX - 1, NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, NF_IP_PRI_LAST = INT_MAX net/ipv4/netfilter/ip_tables.c:ipt_do_table Normally called to process all the rules in a given table Calls ip_packet_match first, then if it matches, iterates over each match in turn, calling the .match function (which is in the given module) net/ipv4/netfilter/ip_tables.c:ip_packet_match Compares the following attribues, in this order: src & dst IP; in interface; out interface; protocol; fragment |
