Skip to content

Instantly share code, notes, and snippets.

@sagax

sagax/netfilter-packet-flow.dot

Created November 7, 2023 23:07
Show Gist options
  • Save sagax/68542a59ed4f4f421ff5293824a1e1be to your computer and use it in GitHub Desktop.
Save sagax/68542a59ed4f4f421ff5293824a1e1be to your computer and use it in GitHub Desktop.
Download ZIP
Raw
netfilter-packet-flow.dot
// this is original
// https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
digraph G {
graph [
bgcolor=grey90;
splines=true;
dpi=200;
rankdir=TB;
pad=1;
compound=true;
];
node [
shape=record;
fontcolor=grey19;
fontname="Ubuntu Mono Bold";
color=grey19;
fontsize=18;
];
edge [
color=grey19;
arrowtail=odot;
arrowhead=vee;
dir=both;
arrowsize=1;
fontname="Ubuntu Mono Bold";
color=grey19;
fontsize=18;
penwidth=1;
];
subgraph cluster_legend {
style="filled";
fontsize=20;
fontcolor=grey19;
fontname="Ubuntu Mono Bold";
color=grey90;
node [
style="filled,rounded";
color=white;
fixedsize=true;
width=2;
height=0.8;
]
network_level [
label="NETWORK LEVEL";
fontcolor=green4;
];
bridge_level [
label="BRIDGE LEVEL";
fontcolor=dodgerblue4;
];
}
subgraph cluster_start {
style="filled,rounded";
fontsize=20;
fontcolor=grey19;
fontname="Ubuntu Mono Bold";
color=grey90;
node [
style="filled,rounded";
color=white;
fixedsize=true;
width=2;
height=0.8;
]
interface_input [
label="interface\ninput";
shape=doublecircle;
fillcolor=plum;
color=plum;
];
xdp_ebpf [
label="xdp\nebpf";
shape=square;
];
userspace_af_xdp [
label="userspace\n(AF_XDP)";
shape=square;
];
alloc_skb [
label="alloc_skb";
shape=square;
];
taps_af_packet [
label="taps e.g\nAF_PACKET";
shape=square;
];
ingress_qdisc [
label="ingress\n(qdisc)";
shape=square;
];
bridge_check [
label="bridge\ncheck";
shape=square;
];
interface_input -> xdp_ebpf;
xdp_ebpf -> alloc_skb [label="XDP_PASS"];
xdp_ebpf -> userspace_af_xdp [label="XDP_REDIRECT"];
alloc_skb -> ingress_qdisc -> bridge_check [weight=50];
alloc_skb -> taps_af_packet [label="clone\npacket"];
}
subgraph cluster_link_layer {
label="link layer";
color=lightblue;
style="filled,rounded";
fontsize=20;
fontcolor=grey19;
fontname="Ubuntu Mono Bold";
node [
style="filled,rounded";
color=white;
fixedsize=true;
width=2;
height=0.8;
];
subgraph cluster_link_layer_output_path {
label="output path";
style="rounded,filled";
color="#FFFFFF55";
nat_postrouting_31 [
label="{nat|postrouting}";
fontcolor=dodgerblue4;
];
mangle_postrouting_31 [
label="{mangle|postrouting}";
fontcolor=green4;
];
nat_postrouting_32 [
label="{nat|postrouting}";
fontcolor=green4;
];
mangle_postrouting_32 [
label="{mangle|postrouting}";
fontcolor=green4;
];
nat_postrouting_33 [
label="{nat|postrouting}";
fontcolor=green4;
];
nat_output_3 [
label="{nat|output}";
fontcolor=dodgerblue4;
];
filter_output_3 [
label="{filter|output}";
fontcolor=dodgerblue4;
];
nat_postrouting_34 [
label="{nat|postrouting}";
fontcolor=dodgerblue4;
];
nat_postrouting_31 -> mangle_postrouting_31 -> nat_postrouting_32 [weight=50];
mangle_postrouting_32 -> nat_postrouting_33 -> nat_output_3 -> filter_output_3 -> nat_postrouting_34 [weight=50];
}
subgraph cluster_link_layer_forward_path {
label="forward path";
style="rounded,filled";
color="#FFFFFF55";
filter_forward_21 [
label="{filter|forward}";
fontcolor=dodgerblue4;
];
mangle_forward_21 [
label="{mangle|forward}";
fontcolor=green4;
];
filter_forward_22 [
label="{filter|forward}";
fontcolor=green4;
];
mangle_forward_22 [
label="{mangle|forward}";
fontcolor=green4;
];
filter_forward_23 [
label="{filter|forward}";
fontcolor=green4;
];
filter_forward_21 -> mangle_forward_21 -> filter_forward_22 [weight=50];
mangle_forward_22 -> filter_forward_23 [weight=50];
}
subgraph cluster_link_layer_input_path {
label="input path";
style="rounded,filled";
color="#FFFFFF55";
broute_brouting_1 [
label="{broute|brouting}";
fontcolor=dodgerblue4;
];
nat_prerouting_11 [
label="{nat|prerouting}";
fontcolor=dodgerblue4;
];
raw_prerouting_1 [
label="{raw|prerouting}";
fontcolor=green4;
];
conntrack_1 [
label="conntrack";
shape=square;
];
mangle_prerouting_1 [
label="{mangle|prerouting}";
fontcolor=green4;
];
nat_prerouting_12 [
label="{nat|prerouting}";
fontcolor=green4;
];
bridging_decision_1 [
label="bridging\ndecision";
shape=square;
];
filter_input_1 [
label="{filter|input}";
fontcolor=dodgerblue4;
];
broute_brouting_1 -> nat_prerouting_11 -> raw_prerouting_1 -> conntrack_1 -> mangle_prerouting_1 -> nat_prerouting_12 -> bridging_decision_1 -> filter_input_1 [weight=50];
}
bridging_decision_1 -> filter_forward_21;
filter_forward_22 -> nat_postrouting_31;
filter_forward_23 -> mangle_postrouting_32;
}
subgraph cluster_network_layer {
label="network layer";
color=lightgreen;
style="filled,rounded";
fontsize=20;
fontcolor=grey19;
fontname="Ubuntu Mono Bold";
node [
style="filled,rounded";
color=white;
fixedsize=true;
width=2;
height=0.8;
];
subgraph cluster_network_layer_output_path {
label="output path";
style="rounded,filled";
color="#FFFFFF55";
routing_decision_6 [
label="{routing|decision}";
];
raw_output_6 [
label="{raw|output}";
fontcolor=green4;
];
conntrack_6 [
label="conntrack";
shape=square;
];
mangle_output_6 [
label="{mangle|output}";
fontcolor=green4;
];
nat_output_6 [
label="{nat|output}";
fontcolor=green4;
];
filter_output_6 [
label="{filter|output}";
fontcolor=green4;
];
reroute_check_6 [
label="reroute\ncheck";
shape=square;
];
mangle_postrouting_6 [
label="{mangle|postrouting}";
fontcolor=green4;
];
nat_postrouting_6 [
label="{nat|postrouting}";
fontcolor=green4;
];
xfrm_lookup_6 [
label="xfrm\nlookup";
shape=square;
];
routing_decision_6 -> raw_output_6 -> conntrack_6 -> mangle_output_6 -> nat_output_6 -> filter_output_6 -> reroute_check_6 -> mangle_postrouting_6 -> nat_postrouting_6 -> xfrm_lookup_6 [weight=50];
}
subgraph cluster_network_layer_forward_path {
label="forward path";
style="rounded,filled";
color="#FFFFFF55";
mangle_forward_5 [
label="{mangle|forward}";
fontcolor=green4;
];
filter_forward_5 [
label="{filter|forward}";
fontcolor=green4;
];
mangle_forward_5 -> filter_forward_5;
}
subgraph cluster_network_layer_input_path {
label="input path";
style="rounded,filled";
color="#FFFFFF55";
raw_prerouting_4 [
label="{raw|prerouting}";
fontcolor=green4;
];
conntrack_4 [
label="conntrack";
shape=square;
];
mangle_prerouting_4 [
label="{mangle|prerouting}";
fontcolor=green4;
];
nat_prerouting_4 [
label="{nat|prerouting}";
fontcolor=green4;
];
routing_decision_4 [
label="routing\ndecision";
shape=square;
];
mangle_input_4 [
label="{mangle|input}";
fontcolor=green4;
];
nat_input_4 [
label="{nat|input}";
fontcolor=green4;
];
filter_input_4 [
label="{filter|input}";
fontcolor=green4;
];
raw_prerouting_4 -> conntrack_4 -> mangle_prerouting_4 -> nat_prerouting_4 -> routing_decision_4 -> mangle_input_4 -> nat_input_4 -> filter_input_4 [weight=50];
}
routing_decision_4 -> mangle_forward_5;
filter_forward_5 -> reroute_check_6;
}
subgraph cluster_protocol_layer {
label="protocol layer";
color=lightgoldenrod;
style="filled,rounded";
fontsize=20;
fontcolor=grey19;
fontname="Ubuntu Mono Bold";
node [
style="filled,rounded";
color=white;
fixedsize=true;
width=2;
height=0.8;
];
subgraph cluster_protocol_layer_output_path {
label="output path";
style="rounded,filled";
color="#FFFFFF55";
xfrm_encode [
label="xfrm\nencode";
shape=square;
];
}
subgraph cluster_protocol_layer_forward_path {
label="forward path";
style="rounded,filled";
color="#FFFFFF55";
}
subgraph cluster_protocol_layer_input_path {
label="input path";
style="rounded,filled";
color="#FFFFFF55";
xfrm_decode [
label="xfrm\n(e.g. ipsec)\ndecode";
shape=square;
];
xfrm_socket_lookup [
label="xfrm/socket\nlookup";
shape=square;
];
xfrm_socket_lookup -> xfrm_decode;
}
}
subgraph cluster_application_layer {
label="application layer";
color=lightcoral;
style="filled,rounded";
fontsize=20;
fontcolor=grey19;
fontname="Ubuntu Mono Bold";
node [
style="filled,rounded";
color=white;
fixedsize=true;
width=2;
height=0.8;
];
subgraph cluster_application_layer_output_path {
label="output path";
style="rounded,filled";
color="#FFFFFF55";
}
subgraph cluster_application_layer_forward_path {
label="forward path";
style="rounded,filled";
color="#FFFFFF55";
local_process [
label="local\nprocess";
shape=square;
];
}
subgraph cluster_application_layer_input_path {
label="input path";
style="rounded,filled";
color="#FFFFFF55";
}
}
subgraph cluster_stop {
style="filled,rounded";
fontsize=20;
fontcolor=grey19;
fontname="Ubuntu Mono Bold";
color=grey90;
node [
style="filled,rounded";
color=white;
fixedsize=true;
width=2;
height=0.8;
]
egress_qdisc [
label="egress\n(qdisc)";
shape=square;
];
af_packet [
label="AF_PACKET";
shape=square;
];
interface_output [
label="interface\noutput";
shape=doublecircle;
fillcolor=plum;
color=plum;
];
}
bridge_check -> broute_brouting_1 [penwidth=2.5];
bridge_check -> raw_prerouting_4 [penwidth=2.5];
routing_decision_4 -> mangle_forward_22 [penwidth=2.5 color=green4];
broute_brouting_1 -> raw_prerouting_4 [penwidth=2.5 color=dodgerblue4];
filter_input_1 -> routing_decision_4 [penwidth=2.5 color=dodgerblue4];
reroute_check_6 -> mangle_postrouting_32 [penwidth=2.5 color=green4];
xfrm_lookup_6 -> xfrm_encode [weight=70 penwidth=2.5 color=green4];
xfrm_encode -> raw_output_6 [label="no clone to\nAF_PACKET" penwidth=2.5 color=darkorange];
filter_input_4 -> xfrm_socket_lookup [penwidth=2.5 color=green4];
xfrm_socket_lookup -> local_process [weight=30 penwidth=2.5 color=darkorange];
local_process -> routing_decision_6 [weight=10 penwidth=2.5 color=crimson];
xfrm_decode -> raw_prerouting_4 [penwidth=2.5 color=darkorange];
xfrm_decode -> taps_af_packet [label="clone\npacket" penwidth=2.5 color=darkorange];
xfrm_lookup_6 -> egress_qdisc [weight=-30 penwidth=2.5 color=green4];
nat_postrouting_34 -> egress_qdisc [penwidth=2.5 color=dodgerblue4];
nat_postrouting_32 -> egress_qdisc [penwidth=2.5 color=dodgerblue4];
egress_qdisc -> af_packet [label="clone\npacket"];
egress_qdisc -> interface_output;
xdp_ebpf -> interface_output [headlabel="XDP_TX" taillabel="XDP_TX"];
}
@sagax
Copy link
Author

sagax commented Nov 7, 2023

netfilter-packet-flow2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment