Chapter 12: Networks
dynamically. Hooks are present at various points inthe network subsystem, and each one has a special
(label)—forexample,NF_IP_POST_ROUTING.^16When the kernel arrives at a hook, the routines registered for the label are invoked in userspace.
Kernel-side processing (possibly with a modified packet) is then continued in a further kernel function.
Section 12.8.6 below discusses the implementation of the netfilter mechanism.In the next step, the received IP packets arrive at a crossroads where a decision is made as to whether
they are intended for the local system or for a remote computer. Depending on the answer, they must
either be forwarded to one of the higher layers or transferred to the output path of the IP level (I don’t
bother with the third option — delivery of packets to a group of computers by means of multicast).ip_route_inputis responsible for choosing theroute. This relatively complex decision is discussed in
detail in Section 12.8.5. The result of the routing decision is that a function for further packet process-
ing is chosen. Available functions areip_local_deliverandip_forward. Which is selected depends
on whether the packet is to be delivered to local routines of the next higher protocol layer or is to be
forwarded to another computer in the network.12.8.3 Local Delivery to the Transport Layer
If the packet is intended for the local computer,ip_local_delivermust try to find a suitable transport
layer function to which the data can be forwarded. IP packets typically use TCP or UDP as the transport
layer.Defragmentation
This is made difficult by the fact that IP packets may be fragmented. There is no certainty that a full
packet is available. The first task of the function istherefore to reassemble a fragmented packet from
its constituent parts by means ofip_defrag.^17 The corresponding code flow diagram is shown in
Figure 12-16.Other fragment parts in the cache?All parts available?ip_defragip_frag_queueip_frag_reasmip_findFigure 12-16: Code flow diagram forip_defrag.(^16) Note that kernel 2.6.25 (which was still under development when this book was written) will change the names fromNFIPto
NFINET. This change unifies the names for IPv4 and IPv6.
(^17) The kernel recognizes that a packet is fragmented either by the set fragment bit or by a non-zero value in the offset field. A zero
value in the offset field indicates that this fragment is the last in the packet.