←back to thread

Entire Linux Network stack diagram (2024)

(zenodo.org)
602 points hhutw | 1 comments | 20 Oct 25 03:33 UTC | HN request time: 0s | source
Show context
elevation ◴[20 Oct 25 04:59 UTC] No.45640290[source]
This place needs more of this kind of documentation.

I failed to use IP tables for years. I bought books. I copied recipes from blog posts. Nothing made sense, everything I did was brittle. Until I finally found a schematic showing the flowchart of a packet through the kernel, which gives the exact order that each rule chain is applied, and where some of the sysctl values are enforced. All of a sudden, I could write rules that did exactly what I wanted, or intelligently choose between rules that have equivalent behaviors in isolation but which could have different performance implications.

After studying the schematic, every would just work on the first try. A good schematic makes a world of difference!

replies(4): >>45640322 #>>45640323 #>>45643938 #>>45648472 #
Koffiepoeder ◴[20 Oct 25 05:12 UTC] No.45640323[source]
Can you share the diagram? Would love to become iptables-enlightened.
replies(3): >>45640358 #>>45640550 #>>45640583 #
eptcyka ◴[20 Oct 25 06:18 UTC] No.45640550[source]
It is time to be nftables enlightened instead.
replies(3): >>45640582 #>>45641007 #>>45648050 #
Arch-TK ◴[20 Oct 25 07:54 UTC] No.45641007[source]
It's more of a netfilter (the thing behind iptables and nftables) diagram rather than just iptables.

If you know how iptables maps to that diagram you are very likely to be able to quickly understand how nftables does too.

replies(1): >>45642465 #
eptcyka ◴[20 Oct 25 10:53 UTC] No.45642465{3}[source]
Sure, but we really shouldn’t be encouraging the use of iptables in 2025.
replies(3): >>45645571 #>>45653367 #>>45656662 #
mmh0000 ◴[20 Oct 25 16:12 UTC] No.45645571{4}[source]
That's not realalistic for most of the Linux world.

Soooo many systems are still using iptables even though we "should" be using nft everywhere.

If you're going to be a Linux Sys/Net Admin today, you need an understanding of both systems.

replies(1): >>45647591 #
eptcyka ◴[20 Oct 25 18:46 UTC] No.45647591{5}[source]
If someone doesn’t know iptables, they probably are not required to know it. You wouldn’t recommend people to learn C++03, would you?
replies(2): >>45662390 #>>45695937 #
1. johnisgood ◴[24 Oct 25 15:58 UTC] No.45695937{6}[source]
> If someone doesn’t know iptables, they probably are not required to know it.

That makes no sense. Just because I do not know X, it does not necessarily follow that I am not required to know it, not at all. I might need it for my job, or my future job. I might need it for a Linux distribution I just installed, and so forth. Or perhaps I am already using iptables, but I do not know it.