Created
October 17, 2012 01:28
-
-
Save supermartian/3903228 to your computer and use it in GitHub Desktop.
Netfilter snippets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1、Netfilter核心基于在IP层插入的5个HOOK | |
| PREROUTING: NF_IP_PRE_ROUTING | |
| LOCAL_INPUT: NF_IP_LOCAL_IN | |
| FORWARD: NF_IP_FORWARD | |
| LOCAL_OUTPUT: NF_IP_LOCAL_OUT | |
| POSTROUTING: NF_IP_POST_ROUTING | |
| 2、Netfilter在PRE_ROUTING和LOCAL_OUT处进行分片重组,也就是进入Netfilter的模块确保全部都是不分片的(?) | |
| nf_defrag_ipv4.c | |
| 重组从外面进来的包,和本地主机生成的数据包 | |
| 3、nf_conntrack_in()挂在钩子点NF_IP_PRE_ROUTING,同时被挂在NF_IP_LOCAL_OUT上的nf_conntrack_local()调用 | |
| 4、nf_conntrack_help()挂在NF_IP_LOCAL_IN和NF_IP_POST_ROUTING上。当有包进来时,根据连接跟踪记录查看是否有对应连接,若有,调用相应的help()处理 | |
| 5、TUPLE: | |
| L3 PROTO; SOURCE ADDR; DEST ADDR; L4 PROTO; L4 KEY | |
| 五元组 | |
| 6、NAT LOOPBACK | |
| 指的是内网A主机建立的服务器,同内网的B主机不能通过外网IP来访问。不知道为什么。 | |
| Openwrt不支持Nat loopback,这样应该代表Linux本身无法支持。 | |
| 7、Tuning | |
| 主要是提高nf_conntrack_max和hashsize,hashsize = nf_conntrack_max / 8 | |
| /sys/module/nf_conntrack/parameters/hashsize | |
| /proc/sys/net/ipv4/netfilter/ip_conntrack_max | |
| 平均每个ct表项占304bytes,算上浪费的空间,平均每个占316bytes,每页13个表项 | |
| HASHSIZE = CONNTRACK_MAX / 8 = RAMSIZE (in bytes) / 131072 / (x / 32) where x is the number of bits in a pointer (for example, 32 or 64 bits) | |
| 减少各项timeout, | |
| nf_conntrack_tcp_timeout_established | |
| nf_conntrack_tcp_timeout_fin_wait | |
| nf_conntrack_generic_timeout |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment