👊🏽 👊🏿 🚪 FreeBSD. Network packet path inside kernel 🌶️ 🤽🏻 🚚

FreeBSD PF Firewall
FreeBSD. Filtering PF traffic
FreeBSD. streams, tags and anchors in PF
FreeBSD. PF Conditional Routing
FreeBSD. The path of the network packet inside the kernel. <- you are here

In previous articles, we discussed PF, its main features, and tried to apply this firewall in various situations. However, simple knowledge of which rules and in what sequence should be put in the configuration is not always enough to achieve the goal. Much becomes clear only if you look a little deeper: at the OS kernel level, and how firewalls interact with it.

We will not analyze the levels of the network card driver (level 2 of the OSI model), but immediately go up to level 3, where the tcp / ip kernel stack works.

mbuf. , , : a , (next hop), ttl, , . . . mbuf .

ip_input()

ip_input().

ttl .
ALTQ ( ), .
IPSEC_CAPS(), ipsec, , , , . ipsec ip_input(), .
pfil. . , , . rc.conf PF, .
. — IP, ip_forward(). .
(reassemble), .
IPSEC_INPUT().
, . — icmp error ip_output().

, .

ip_forward()

ipsec — IPSEC_FORWARD().
. , net.inet.ip.forwarding 1. - , icmp error ip_output().
, , icmp_redirect, .
ttl.
ip_output().

ip_output()

. , .
ipsec — IPSEC_OUTPUT().
pfil — .
, (dst), (fib) . , . , .
, .
.

, . , . , . , , , . mbuf.

, pf in out.

pass in on re0 inet...

ip_input. out — ip_output.

pass out quick on $ExtIf2 ...

anchors .

route-to reply-to next hop :

pass in quick on $ExtIf2 reply-to ($ExtIf2 $ExtIf2Gw ) tagged DSTNAT
pass in quick on $IntIf1 route-to ( $Tun1 $Tun1Gw ) from ($IntIf1:network)

rtable:

pass in quick on $IntIf2 from { $IntIf2Net } rtable 1 tag PASS

FreeBSD, , , , .

— . , , , , , VPN , , ftp-, web- jabber-, IP-… , . 35 , 9 .

FreeBSD. Network packet path inside kernel

ip_input()

ip_forward()

ip_output()

More articles: