Most active commenters
  • eptcyka(5)

←back to thread

Entire Linux Network stack diagram (2024)

(zenodo.org)
602 points hhutw | 22 comments | 20 Oct 25 03:33 UTC | HN request time: 0.233s | source | bottom
1. elevation ◴[20 Oct 25 04:59 UTC] No.45640290[source]
This place needs more of this kind of documentation.

I failed to use IP tables for years. I bought books. I copied recipes from blog posts. Nothing made sense, everything I did was brittle. Until I finally found a schematic showing the flowchart of a packet through the kernel, which gives the exact order that each rule chain is applied, and where some of the sysctl values are enforced. All of a sudden, I could write rules that did exactly what I wanted, or intelligently choose between rules that have equivalent behaviors in isolation but which could have different performance implications.

After studying the schematic, every would just work on the first try. A good schematic makes a world of difference!

replies(4): >>45640322 #>>45640323 #>>45643938 #>>45648472 #
2. HotGarbage ◴[20 Oct 25 05:12 UTC] No.45640322[source]
Was it this one? https://en.wikipedia.org/wiki/File%3aNetfilter-packet-flow.s...
replies(3): >>45642616 #>>45644247 #>>45648367 #
3. Koffiepoeder ◴[20 Oct 25 05:12 UTC] No.45640323[source]
Can you share the diagram? Would love to become iptables-enlightened.
replies(3): >>45640358 #>>45640550 #>>45640583 #
4. elevation ◴[20 Oct 25 05:26 UTC] No.45640358[source]
Eventually I used more detailed diagrams, but this one was like a lightbulb going off:

https://www.frozentux.net/iptables-tutorial/images/tables_tr...

I couldn’t find one that annotated where sysctl configurable were shown. But this is a useful annotation, even if it’s an exercise for the reader.

5. eptcyka ◴[20 Oct 25 06:18 UTC] No.45640550[source]
It is time to be nftables enlightened instead.
replies(3): >>45640582 #>>45641007 #>>45648050 #
6. VTimofeenko ◴[20 Oct 25 06:24 UTC] No.45640582{3}[source]
Similar diagram, right in nftables wiki:

https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_...

7. jcynix ◴[20 Oct 25 06:25 UTC] No.45640583[source]
Besides the diagram you'll find tutorials on https://www.frozentux.net/category/linux/iptables/ too.

And at http://www.easyfwgen.morizot.net/ there's an old, but still useful generator for an iptables setup. That should help to understand iptables.

8. Arch-TK ◴[20 Oct 25 07:54 UTC] No.45641007{3}[source]
It's more of a netfilter (the thing behind iptables and nftables) diagram rather than just iptables.

If you know how iptables maps to that diagram you are very likely to be able to quickly understand how nftables does too.

replies(1): >>45642465 #
9. eptcyka ◴[20 Oct 25 10:53 UTC] No.45642465{4}[source]
Sure, but we really shouldn’t be encouraging the use of iptables in 2025.
replies(3): >>45645571 #>>45653367 #>>45656662 #
10. suprjami ◴[20 Oct 25 11:14 UTC] No.45642616[source]
One of my favourite webpages. Have used it countless times over the years.
11. PunchyHamster ◴[20 Oct 25 13:51 UTC] No.45643938[source]
It is also worth mentioning TRACE target that will dump to logs which exact rule the packet hit, it's invaluable big firewalls.
12. UltraSane ◴[20 Oct 25 14:24 UTC] No.45644247[source]
I use this all the time when writing iptable rules.
13. mmh0000 ◴[20 Oct 25 16:12 UTC] No.45645571{5}[source]
That's not realalistic for most of the Linux world.

Soooo many systems are still using iptables even though we "should" be using nft everywhere.

If you're going to be a Linux Sys/Net Admin today, you need an understanding of both systems.

replies(1): >>45647591 #
14. eptcyka ◴[20 Oct 25 18:46 UTC] No.45647591{6}[source]
If someone doesn’t know iptables, they probably are not required to know it. You wouldn’t recommend people to learn C++03, would you?
replies(2): >>45662390 #>>45695937 #
15. immibis ◴[20 Oct 25 19:47 UTC] No.45648367[source]
This also isn't complete because it doesn't show code between or around the various tables. I used to think of iptables as dumb filters that manipulate raw packets before/after the rest of the kernel sees them, but this view is wrong, and doesn't explain, for example, how it does NAT.

And the answer is it doesn't do NAT. The code is already preparing to do NAT, and that code merely consults the table to find out what kind of NAT it should do. The diagram makes it look like you can just move a NAT rule to a filter or mangle rule because the kernel just applies these tables in sequence anyway, but you can't because they are consulted by different blocks of code for different purposes.

16. waynesonfire ◴[20 Oct 25 19:55 UTC] No.45648472[source]
> I failed to use IP tables for years.

Me too, then I discovered FreeBSD and pf tables. I _feel_ like an expert network engineer now. It took time and effort of course, but the learning process "clicked" for me all along the way and I was able to build on my understandings. Give it a try!

https://docs.freebsd.org/en/books/handbook/firewalls/

There was a recent book published on the tool, The Book of PF, 4th Edition

17. dns_snek ◴[21 Oct 25 07:30 UTC] No.45653367{5}[source]
I've wanted to switch to nftables on some of my systems but found that some software or other depended on iptables (e.g. Docker Engine, Proxmox). Use nftables if you can get away with it but iptables-specific knowledge is still extremely relevant.
18. CableNinja ◴[21 Oct 25 14:59 UTC] No.45656662{5}[source]
For the most part iptables is no more, iptables tools are now just wrappers to nftables. Technically you can still write iptables rules, and they will show up in nftables. Wouldnt recommend long term but its a good way to see the translation
19. tonyarkles ◴[21 Oct 25 22:12 UTC] No.45662390{7}[source]
Ahhhhhh at least an understanding that it exists and how it might interact with nft is probably beneficial unless they’re expecting to only ever work on greenfield equipment. If you were to walk into a job with existing IT infrastructure, there’s a solid chance that you’ll encounter iptables. If you’re looking to do a deep dive into something and learn it well, definitely nft is the way to go but being able to tweak iptables configs without needing to start over with a clean nft slate is valuable.

To your C++03 analogy, I wouldn’t recommend learning C++03, but I also wouldn’t recommend solely learning C++23 either. C++20 and 23 have some really cool stuff in them that can definitely make your code cleaner, but there’s a lot of codebases that are stuck on older versions (at $JOB one of our target platforms is stuck on C++17 and will never get an upgrade so we can’t move the codebase forward until we abandon that kit).

replies(1): >>45665221 #
20. eptcyka ◴[22 Oct 25 05:34 UTC] No.45665221{8}[source]
If the person in question has never had the need to know iptables, why would that change now? If a job will require such knowledge, they will pick it up. Iptables is exposed as a facade to nftables, lots of the concepts just transfer over, just that iptables is the more antiquated option.

I for instance have never really used iptables in anger, but have lots of experience with nftables and pf. I’ve used both in a professional setting. People can be made aware of iptables, but unless there’s a need to know it, I wouldn’t recommend picking it up now. And you’ll know if you need to learn c++17 or iptables, or python 2.7.

replies(1): >>45666017 #
21. eptcyka ◴[22 Oct 25 07:50 UTC] No.45666017{9}[source]
For more context, I've been working pretty closely with firewalls on all desktop platforms, and I've been doing so since 2018, and I've never had know about iptables on Linux.
22. johnisgood ◴[24 Oct 25 15:58 UTC] No.45695937{7}[source]
> If someone doesn’t know iptables, they probably are not required to know it.

That makes no sense. Just because I do not know X, it does not necessarily follow that I am not required to know it, not at all. I might need it for my job, or my future job. I might need it for a Linux distribution I just installed, and so forth. Or perhaps I am already using iptables, but I do not know it.