[LARTC] Kernel Packet Traveling Diagram

Mark markdv.lartc at asphyx.net
Mon Jul 2 14:25:25 CEST 2007 

On Mon, 2 Jul 2007, Edouard Thuleau wrote:

> Thanks,
> I know the older version of this diagram and this one is quite the same I
> told below but the problem is the same for the DNAT. I made another test. I
> change the DSCP value in the PREROUTING table and I put an ingress policing
> which match this new dscp value but the filter doesn't match nothing (I work
> on a Linux 2.6.17).
> With my test, the older version (
> http://www.imagestream.com/~josh/PacketFlow.jpg<http://www.imagestream.com/%7Ejosh/PacketFlow.jpg>)
> of the diagram seams more exactly.

Don't know where I got this, but for as long as I can remember I've had 
this at the top of my scrips as a sort of quick ref. :)

#   --->PRE------>[ROUTE]--->FWD---------->POST------>
#       Conntrack    |       Mangle   ^    Mangle
#       Mangle       |       Filter   |    NAT (Src)
#       NAT (Dst)    |                |
#       (QDisc)      |             [ROUTE]
#                    v                |
#                    IN Mangle       OUT Conntrack
#                    |  Filter        ^  Mangle
#                    |                |  NAT (Dst)
#                    v                |  Filter

Regards,
Mark.

> Have you an idea ?
>
> 2007/7/2, nano bug <linnewbye at gmail.com>:
>> 
>> Hello,
>> 
>> I find this one more useful :
>> 
>> http://www.imagestream.com/~josh/PacketFlow-new.png<http://www.imagestream.com/%7Ejosh/PacketFlow-new.png>
>> 
>> On 7/2/07, Edouard Thuleau <thuleau at gmail.com> wrote:
>> 
>> > Hi,
>> >
>> > I find this diagram which details the kernel packet traveling :
>> > http://www.docum.org/docum.org/kptd/
>> > Is it up to date ?
>> > I made some test and I put a DNAT rules in the PREROUTING table of an
>> > interface and I attach it a ingress policy, the dst IP wasn't changed. 
>> the
>> > DNAT it isn't yet make.
>> >
>> > I've another question (I'm not sure is it the good mailing list), for
>> > the fragment packet, I see the ingress policy doesn't work correctly and 
>> I'd
>> > like to know where in the kernel travel of the packet the fragment are
>> > re-assemble ? At the NAT or in the routing ?
>> >
>> > Thanks,
>> > Edouard.
>> >
>> > _______________________________________________
>> > LARTC mailing list
>> > LARTC at mailman.ds9a.nl
>> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>> >
>> >
>> 
>

More information about the LARTC mailing list