How many ways are there to interact with Linux TCP/IP stack?

How many ways are there to interact with Linux TCP/IP stack?

[Mayank]

Friends, 

I am new to netfilter world, can someone please
clarify on how many ways are there to interact with
the Linux TCP/IP stack, based on google reading,  I
think it can be achieved in following 3 ways-

1. Userspace ¬– LIBIPQ can be used in  
   conjugation with –j QUEUE
2. Kernal modules- by using nf_register_hook 
3. IPTABLES match – by using register_match 

Are there more ways? does anybody has any comparison
info  in terms of performance etc ? Which one is
faster?

Thanks,
Mayank


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: How many ways are there to interact with Linux TCP/IP stack?

[Philip Craig]

On 02/24/2006 06:37 PM, Mayank wrote:
> I am new to netfilter world, can someone please
> clarify on how many ways are there to interact with
> the Linux TCP/IP stack, based on google reading,  I
> think it can be achieved in following 3 ways-
>
> 1. Userspace ¬– LIBIPQ can be used in
>    conjugation with –j QUEUE
> 2. Kernal modules- by using nf_register_hook
> 3. IPTABLES match – by using register_match
>
> Are there more ways? does anybody has any comparison
> info  in terms of performance etc ? Which one is
> faster?

Basically, the only way is nf_register_hook.  The other 2 are just
infrastructure built on top of that.

That is, iptables registers a netfilter hook, and calls the matches
and targets from this hook.

QUEUE is just a iptables target, so it is called by iptables.

For performance, QUEUE is clearly slower, since it passes the packet
to user space.

Choosing between netfilter hooks or iptables matches should be based
purely on whether you want to use iptables functionality.