image/svg+xml
2014-Feb-28
Jan Engelhardt <jengelh@inai.de>
Jan Engelhardt <jengelh@inai.de>
http://inai.de/
en_US
Xtables Conntrack iptables
Shows the packet flow throughout Linux Networking, and Netfilter components.
Joshua Snyder <josh@imagestream.com>
raw
nat
broute
brouting
bridgecheck
ingress(qdisc)
conntrack
routingdecision
input
nat
prerouting
mangle
bridgingdecision
forward
filter
filter
mangle
reroutecheck
output
xfrmlookup
xfrmencode
postrouting
input
xfrm/socketlookup
localprocess
egress(qdisc)
interfaceoutput
taps (e.g.AF_PACKET)
(start)
AF_PACKET
XDPeBPF
alloc_skb
xfrm(e.g. ipsec)decode
input
clone packet
clone packet
no clone toAF_PACKET
clone packet
clone packet
XDP_TX
XDP_PASS
userspace(AF_XDP)
XDP_REDIRECT
by Jan Engelhardt(based in part on Joshua Snyder's graph)XDP flow by Matteo CroceLast updated 2019-May-19; Linux 5.1
* “security” table left out for brevity* “nat” table only consulted for “NEW” connections
Network Layer
Link Layer
FORWARD PATH
OUTPUT PATH
Protocol Layer
INPUT PATH
Application Layer
Packet flow in Netfilter and General Networking
bridge level
basic set of filteringopportunities at the
Other NF parts
Other Networking
network level