Help with Linux iptables details (including some terms)

Hi,

I'm in need of some help on details of Linux's packet filtering.
I've actually read the iptables command's man pages and a few
other docs from www.netfilter.org.

Also, I've just started using Linux a few weeks ago (before this,
my last used was in 1993 for a few months) so I may get some terms
wrong. Please correct me so that I can be less confusing in the
future.

I understand that some of my questions can be answered by build
the kernel or reading some source code. But I'm hoping to get
answers quicker here.

Here're my questions: (and thank you very much)

1. "iptables" is the name of a command that a user run to modify
Linux's built-in packet filters. What is the name of the Linux's
built-in filters? (I've been calling it iptables, but I think I
may be wrong.)

2. Does the Linux's built-in packet filters use its NetFilter
facility?

3. If Linux's built-in packet filters use NetFilter, what is its
priority (what value is set for field "priority" in "struct
nf_hook_ops") ?

4. It Linux's built-in packet filters do not use NetFilter, then
is it called before NetFilter or after? If this is the case,
could you help me out by providing a function name or something?
(I casually looked into the kernel's networking code and only
see NetFilter being called and not built-in packet filtering.)

5. While configuring to build a kernel (make menuconfig), I see
the option of "Network packet filtering (replaces ipchains)" .
Does this configure the built-in filter or NetFilter ?

6. If #5 configures NetFilter, then why is "replaces ipchains"
in the heading? I thought the new bulit-in packet filter replaces
ipchains ?

Thanks,
Ching Tai

(E-Mail Removed) (ctt) wrote news:883eb11c.0406101321.3219e950
@posting.google.com:

> 1. "iptables" is the name of a command that a user run to modify
> Linux's built-in packet filters. What is the name of the Linux's
> built-in filters? (I've been calling it iptables, but I think I
> may be wrong.)
>
> 2. Does the Linux's built-in packet filters use its NetFilter
> facility?

iptables is a user-land command to create/modify/delete netfilter rules.

netfilter is the (now) official packet filtering system of linux.

But netfilter is not directly developped in the linux main kernel source,
it's a separate project available at http://www.netfilter.org.

The Linux kernel include some hook function that call the netfilter code
at various point in the network stack.

And so, there is on "default filters" in the linux kernel.

But for usability (compilation, ...) reason, the netfilter code is
included in any regular linux source package.

You may however get the last netfilter code (kernel hook, iptables
command, and iptables modules) from the netfilter project, and recompile
a kernel with this updated code.

> 3. If Linux's built-in packet filters use NetFilter, what is its
> priority (what value is set for field "priority" in "struct
> nf_hook_ops") ?

Don't know.

> 4. It Linux's built-in packet filters do not use NetFilter, then
> is it called before NetFilter or after? If this is the case,
> could you help me out by providing a function name or something?
> (I casually looked into the kernel's networking code and only
> see NetFilter being called and not built-in packet filtering.)

See up.

> 5. While configuring to build a kernel (make menuconfig), I see
> the option of "Network packet filtering (replaces ipchains)" .
> Does this configure the built-in filter or NetFilter ?

You may choose to use ipchains, the old filtering system or netfilter,
the last one.

ipchains was more "fusioned" in the kernel source than netfilter.

Note: there is an ipchains command that translate ipchains rules to
iptables rules.

> 6. If #5 configures NetFilter, then why is "replaces ipchains"
> in the heading? I thought the new bulit-in packet filter replaces
> ipchains ?

See up.

> Thanks,
> Ching Tai
>

(E-Mail Removed) (ctt) wrote in message news:<(E-Mail Removed). com>...
> Hi,
>
> I'm in need of some help on details of Linux's packet filtering.
> I've actually read the iptables command's man pages and a few
> other docs from www.netfilter.org.
>
> Also, I've just started using Linux a few weeks ago (before this,
> my last used was in 1993 for a few months) so I may get some terms
> wrong. Please correct me so that I can be less confusing in the
> future.
>
> I understand that some of my questions can be answered by build
> the kernel or reading some source code. But I'm hoping to get
> answers quicker here.
>
> Here're my questions: (and thank you very much)
>
> 1. "iptables" is the name of a command that a user run to modify
> Linux's built-in packet filters. What is the name of the Linux's
> built-in filters? (I've been calling it iptables, but I think I
> may be wrong.)
>
> 2. Does the Linux's built-in packet filters use its NetFilter
> facility?
>
> 3. If Linux's built-in packet filters use NetFilter, what is its
> priority (what value is set for field "priority" in "struct
> nf_hook_ops") ?

I think it relates to this (?):
/usr/include/linux/netfilter_ipv4.h
enum nf_ip_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_CONNTRACK = -200,
NF_IP_PRI_MANGLE = -150,
NF_IP_PRI_NAT_DST = -100,
NF_IP_PRI_FILTER = 0,
NF_IP_PRI_NAT_SRC = 100,
NF_IP_PRI_LAST = INT_MAX,

> 4. It Linux's built-in packet filters do not use NetFilter, then
> is it called before NetFilter or after? If this is the case,
> could you help me out by providing a function name or something?
> (I casually looked into the kernel's networking code and only
> see NetFilter being called and not built-in packet filtering.)
>
> 5. While configuring to build a kernel (make menuconfig), I see
> the option of "Network packet filtering (replaces ipchains)" .
> Does this configure the built-in filter or NetFilter ?
>
> 6. If #5 configures NetFilter, then why is "replaces ipchains"
> in the heading? I thought the new bulit-in packet filter replaces
> ipchains ?
>
> Thanks,
> Ching Tai

You might also be interested in this -- I found it myself just a short
while back ;-)
http://www.linuxjournal.com/article.php?sid=7184