Chapter 12: Networks
❑ inputandoutputare invoked to process incoming and outgoing packets as described above.
❑ devspecifies the network device used to process the packets.inputandoutputare assigned different functions depending on packet type.❑ inputis set toip_local_deliverfor local delivery andoutputtoip_rt_bug(the latter function
simply outputs an error message to the kernel logs because invokingoutputfor a local packet in
the kernel code is an error condition that should not occur).
❑ inputis set toip_forwardfor packets to be forwarded, and a pointer to theip_outputfunction
is used foroutput.Theneighbourelement stores the IP and hardware addresses of the computer in the local network, which
can be reached directly via the network access layer. For our purposes, it is sufficient to look at just a few
elements of the structure:include/net/neighbour.h
struct neighbour
{
struct net_device *dev;
unsigned char ha[ALIGN(MAX_ADDR_LEN, sizeof(unsigned long))];
int (*output)(struct sk_buff *skb);
};Whiledevholds the network device data structure andhathe hardware address of the device,outputis
a pointer to the appropriate kernel function that must be invoked to transmit a packet via the network
adapter.neighbourinstances are created by the ARP layer of the kernel that implements theaddress reso-
lution protocol— a protocol that translates IP addresses into hardware addresses. Because thedst_entry
structure has a pointer toneighbourinstances, the code of the network access layer can invoke theoutput
function when a packet leaves the system via the network adapter.12.8.6 Netfilter
Netfilteris a Linux kernel framework that enables packets to be filtered and manipulated in accor-
dance with dynamically defined criteria. This dramatically increases the number of conceivable network
options — from a simple firewall through detailed analyses of network traffic to complex state-dependent
filters. Because of the sophisticated netfilter design, only a few sections of network code are needed to
achieve the above goals.ExtendingNetwork Functionality
In brief, the netfilter framework adds the following capabilities to the kernel:❑ Packet filteringfor different flow directions (incoming, outgoing, forwarded) depending on state
and other criteria.
❑ Network address translation(NAT) to convert source and destination addresses in accordance with
certain rules. NAT can be used, for example, to implement shared Internet connections where
several computers that are not attached directly to the Internet share an Internet access (this is
often referred to asmasqueradingortransparent proxy).
❑ Packet manglingandmanipulation, the splitting and modification of packets according to specific
rules.