On 02/24/2006 06:37 PM, Mayank wrote: > I am new to netfilter world, can someone please > clarify on how many ways are there to interact with > the Linux TCP/IP stack, based on google reading, I > think it can be achieved in following 3 ways- > > 1. Userspace ¬– LIBIPQ can be used in > conjugation with –j QUEUE > 2. Kernal modules- by using nf_register_hook > 3. IPTABLES match – by using register_match > > Are there more ways? does anybody has any comparison > info in terms of performance etc ? Which one is > faster? Basically, the only way is nf_register_hook. The other 2 are just infrastructure built on top of that. That is, iptables registers a netfilter hook, and calls the matches and targets from this hook. QUEUE is just a iptables target, so it is called by iptables. For performance, QUEUE is clearly slower, since it passes the packet to user space. Choosing between netfilter hooks or iptables matches should be based purely on whether you want to use iptables functionality.
