Problems understanding nftables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I am in the process to learn all the nftables knowledge, needed to understand some more complex
setups and to create own configurations from scratch, without migrating/translating iptables-stuff.

My startpoint is the diagram from Pablo, which is available in the wiki under
https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks .

My questions to this diagram:

1) netdev family filter for ingress and egress, like described in the table below the diagram:
   Where in the diagram, I can apply those filters?
   I attach a modified version of this diagram, where I have marked the three possible hook
   chain types (filter, nat, route) to the places, where those hooks are tied to.
2) Traffic flow inside the machine
   How is traffic flowing, when Application A talks to Applikation B?
   There is no way, for traffic Application A generates, reaching the Prerouting Hook.
   However, I wrote some trace rulesets hooking into every possible filter and telling
   me, where the packets are.
   Here I see, that those packages leave Postrouting, but not entering egress/ingress
   (which could be a solution for cases when both applications ate listening on the same
   interface. No: Those packages reappear in the Prerouting Hook, have a new trace id,
   but the same ip id.
3) The Routing Decision after Local Process makes by my understanding no sense,
   as it has only one output.
4) In case Application B listens on a Bridge Device, I would expect seeing a way from
   Output Bridge to Prerouting Bridge or Input Bridge.  I have no testcase for this scenario,
   so my question is hypothetic

I would be glad, if someone could give me some answers. Perhaps I have overseen some details,
leading me in the wrong direction.
Thanks for any helpful answer


Wolfgang

Attachment: nf-hooks.png
Description: PNG image


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux