Chapter 12: Networks
NF_IP_PRI_NAT_SEQ_ADJUST = INT_MAX - 1,
NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
NF_IP_PRI_LAST = INT_MAX,
};
This ensures, for example, thatmanglingof packet data is always performedbeforeany filter
operations.The appropriate list can be selected from thenf_hookarray by reference to the protocol family and hook
number. Work is then delegated tonf_iterate, which traverses the list elements and invokes thehook
functions.Activating the Hook Functions
Eachhookfunction returns one of the following values:❑ NF_ACCEPTaccepts a packet. This means that the routine in question has made no changes to the
data. The kernel continues to use the unmodified packet and lets it run through the remaining
layers of the network implementation (or through subsequent hooks).
❑ NF_STOLENspecifies that the hook function has ‘‘stolen‘‘ a packet and will deal with it. As of this
point, the packet no longer concerns the kernel, and it is not necessary to call any further hooks.
Further processing by other protocol layers must also be suppressed.
❑ NF_DROPinstructs the kernel to discard the packet. As withNF_STOLEN, no further processing by
other hooks or in the network layer takes place. Memory space occupied by the socket buffer
(and therefore by the packet) is released because the data it contains can be discarded — for
example, packets regarded as corrupted by a hook.
❑ NF_QUEUEplaces the packet on a wait queue so that its data can be processed by userspace code.
No other hook functions are executed.
❑ NF_REPEATcalls the hook again.Ultimately, packets are not further processed in the network layer unless all hook
functions returnNF_ACCEPT(NF_REPEATis never the final result). All other packets
are either discarded or processed by the netfilter subsystem itself.The kernel provides a collection of hook functions so that separate hook functions need not be defined for
every occasion. These are known asiptablesand are used for the high-level processing of packets. They
are configured using theiptablesuserspace tool, which is not discussed here.12.8.7 IPv6
Even though widespread use of the Internet is a a recent phenomenon, its technical foundations have
been in place for some time. Today’s Internet protocol was introduced in 1981. Although the underlying
standard is well thought out and forward-looking, it is showing signs of age. The explosive growth of
the Internet over the past few years has thrown up a problem relating to the available address space of
IPv4 — 32-bit addresses allow a maximum of 2^32 hosts to be addressed (if subnetting and the like are
ignored). Although earlier thought to be inexhaustible, this address space will no longer be sufficient in
the foreseeable future because more and more devices — ranging from PDAs and laser printers to coffee
machines and refrigerators — require IP addresses.