2.2: portforward, redirection, masquerading, filtering:
- Related, but close to the stack (fragile), and independent from each other.
- Needed an in-kernel packet snarfing framework: no more hard-coded kernel #ifdef hacks.
Netfilter is the framework.
Parts of the kernel can register with netfilter to see packets at various points in the stack (similar to old firewall.h hooks).
IPv4: PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, POST_ROUTING.
Each hook can alter packets, return NF_DROP, NF_ACCEPT, NF_QUEUE, NF_REPEAT or NF_STOLEN.
Hooks have been inserted in the IPv6 and DecNET stacks as well.
IPv6: PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, POST_ROUTING.
DecNET: PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, POST_ROUTING, HELLO, ROUTE
Currently, four major subsystems exist on top of netfilter:
- The backwards-compatibility ipchains & ipfwadm +masq/redir modules.
- The `iptables' packet classification system.
- The connection-tracking system.
- The NAT system.
Linux 2.4's IP stack now has sufficient hooks to cleanly extend functionality for filtering, NAT and random hacks.