Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /home/zhenxiangba/zhenxiangba.com/public_html/phproxy-improved-master/index.php on line 456 IP Filter Flow
IP Filter Flow
Diagram illustrating the flow of TCP/IP packets through the various stages
introduced by IP Filter.
IN
|
V
+-------------------------+--------------------------+
| | |
| V |
| Network Address Translation |
| | |
| authenticated | |
| +-------<---------+ |
| | | |
| | V |
| V IP Accounting |
| | | |
| | V |
| | Fragment Cache Check--+ |
| | | | |
| V V V |
| | Packet State Check-->+ |
| | | | |
| | +->--+ | | |
| | | | V | |
| V groups Firewall check V |
| | | | | | |
| | +--<-+ | | |
| | | | |
| +---------------->|<-----------+ |
| | |
| V |
| +---<----+ |
| | | |
| function | |
| | V |
| +--->----+ |
| | |
| V |
+--|---<--- fast-route ---<--+ |
| | | |
| | V |
| +-------------------------+--------------------------+
| |
| pass only
| |
| V
V [KERNEL TCP/IP Processing]
| |
| +-------------------------+--------------------------+
| | | |
| | V |
| | Fragment Cache Check--+ |
| | | | |
| | V V |
| | Packet State Check-->+ |
| | | | |
| | V | |
V | Firewall Check | |
| | | V |
| | |<-----------+ |
| | V |
| | IP Accounting |
| | | |
| | V |
| | Network Address Translation |
| | | |
| | V |
| +-------------------------+--------------------------+
| |
| pass only
V |
+--------------------------->|
V
OUT
Network Address Translation (NAT):
output packets going through the NAT will have their source IP address
changed, if a mapping rule and space in the table exists, prior to being
forwarded.
input packets going through the NAT will have their destination IP address
changed, if it can be found in the table, to the original value.
IP Accounting:
input and output rules can be separately setup, recording the number of
bytes that pass through. Each time a rule match occurs, the byte count
of the packet is added to the rule (allowing for cascading statistics
to be collected).
Firewall check:
input and output rules can be separately setup, determining whether or not a
packet will be allowed through IPFilter, into the kernel's TCP/IP routines
or out onto the network.
IP Authentication:
packets which are authenticated are only passed through the firewall loops
once to prevent double-processing.
output packets going through the NAT will have their source IP address changed, if a mapping rule and space in the table exists, prior to being forwarded.