image/svg+xml
Netfilter packet flow and hook/table ordering
2014-Feb-28
Jan Engelhardt <jengelh@inai.de>
Jan Engelhardt <jengelh@inai.de>
http://inai.de/
en_US
Xtables Conntrack iptables
Shows the packet flow throughout Linux Networking, and Netfilter components.
Joshua Snyder <josh@imagestream.com>
raw
nat
broute
brouting
bridgecheck
ingress(qdisc)
conntrack
routingdecision
input
nat
prerouting
mangle
bridgingdecision
forward
filter
filter
mangle
reroutecheck
output
xfrmlookup
xfrmencode
postrouting
input
xfrm/socketlookup
localprocess
xfrm(e.g. ipsec)decode
egress(qdisc)
interfaceoutput
taps (e.g.AF_PACKET)
(start)
AF_PACKET
clone packet
clone packet
clone packet
no clone toAF_PACKET
clone packet
clone packet
by Jan Engelhardt(based in part on Joshua Snyder's graph)Last updated 2014-Feb-28; Linux 2.6.36+
* “security” table left out for brevity* “nat” table only consulted for “NEW” connections
Network Layer
Link Layer
FORWARD PATH
OUTPUT PATH
Protocol Layer
INPUT PATH
Application Layer
Packet flow in Netfilter and General Networking
bridge level
basic set of filteringopportunities at the
Other NF parts
Other Networking
network level