17. Table
filter nat raw
Different functions.
Filter the
packets
Change
the IP
Address
Handle
for non-
tracking
packets.
mangle
Change
packet
informati
on.
36. Another app is currently holding
the xtables lock. Perhaps you
want to use the -w option?
37. Whathappen
iptables command needs a
communication between user and
kernel space.
It need a lock to make sure the
consistence
iptables will exit if it can’t acquire the
lock by default.
Use the –w option to wait the lock.
48. libiptc
Library which manipulates firewall
rules
Use the system call to interact with
kernel
○ GetSocketOpt
○ SetSocketOpt
Maintain a cache for each iptables
command.
49. workflows
Initial the libiptc to fetch all current
rules.
Store those rules into a local cache
Operates rules in that cache
Commit the change to the kernel.
50. workflows
Initial the libiptc to fetch all current
rules.
In the iptables, we use a handle
(xtc_handle) to represent the cache.
73. Architecture
For each extension, you need to
prepare two things.
User-space library to parse the
command.
Kernel-space module to implement
that function.
90. summary
The iptables system includes the
user-space tool and kernel-space
system.
We focus on how user-space tools
works today.
91. iptables
iptables need a file lock to protect the
rules.
iptables use the library (libiptc) to
control the rules via system call.
You can extend the iptables by
implement the extension
match/target function.
93. Extenstion
For each iptables extension module,
you should both user-space and
kernel-space.
Please make sure the kernel version
consistent
Use—Space
○ Implement the arguments and store the
data into pre-defined structure.
Kernel-Space
○ Implement the match function