elevation 12 hours ago

This place needs more of this kind of documentation.

I failed to use IP tables for years. I bought books. I copied recipes from blog posts. Nothing made sense, everything I did was brittle. Until I finally found a schematic showing the flowchart of a packet through the kernel, which gives the exact order that each rule chain is applied, and where some of the sysctl values are enforced. All of a sudden, I could write rules that did exactly what I wanted, or intelligently choose between rules that have equivalent behaviors in isolation but which could have different performance implications.

After studying the schematic, every would just work on the first try. A good schematic makes a world of difference!

  • PunchyHamster 3 hours ago

    It is also worth mentioning TRACE target that will dump to logs which exact rule the packet hit, it's invaluable big firewalls.

  • Koffiepoeder 12 hours ago

    Can you share the diagram? Would love to become iptables-enlightened.

    • eptcyka 11 hours ago

      It is time to be nftables enlightened instead.

      • Arch-TK 9 hours ago

        It's more of a netfilter (the thing behind iptables and nftables) diagram rather than just iptables.

        If you know how iptables maps to that diagram you are very likely to be able to quickly understand how nftables does too.

        • eptcyka 6 hours ago

          Sure, but we really shouldn’t be encouraging the use of iptables in 2025.

          • mmh0000 an hour ago

            That's not realalistic for most of the Linux world.

            Soooo many systems are still using iptables even though we "should" be using nft everywhere.

            If you're going to be a Linux Sys/Net Admin today, you need an understanding of both systems.

hhutw 12 hours ago

For anyone who is interested, the author of this diagram also made a Linux disk I/O diagram (https://zenodo.org/records/15234151). These diagrams are from his book Operativni sustavi i računalne mreže - Linux u primjeni (https://zenodo.org/records/17371946)

Shout out to the brilliant and generous work of the author!

  • N-Krause 11 hours ago

    Do you know if there is a English version of the book?

    • alfanick 5 hours ago

      If the author agrees, I could try to learn Serbo-Croatian (I'm Polish, good with languages) and translate it to English. I'm kinda a burnout Linux geek, who cannot look at computers much more. Translating a book would be fun, but I would need some sponsoring. Amadeusz at [the old name of icloud].com

      • dudek1337 4 hours ago

        the book is licenced under CC BY-SA so you should be OK with translating as long as you follow the licence terms.

        you could try do a first pass in an AI model to translate and then proof-read it for quicker translation. good luck, it would be fun and potentially impactful ;)

    • hhutw 10 hours ago

      To my knowledge, sadly I can't find an English version of it. I'm too wishing for a future English version so that I can read it. But I guess it will be a lot of work to translate it into English.

  • stuxnet79 10 hours ago

    The Disk I/O diagram is excellent, thank you for sharing.

jruohonen 12 hours ago

That's pretty cool!

If someone could program a visualization tool that would generate such diagrams automatically, that would be even cooler (but likely a mission impossible).

  • alhirzel 6 hours ago

    Automatic generation would be really tough because of all the levels of abstraction traversed in this diagram in particular... But tools like Mermaid / PlantUML can get you in the ballpark, and PGF/TikZ could be a reasonable target if you want to attack that mission by generating text instead of images.

PunchyHamster 3 hours ago

*simplified.

Doesn't even go into iptables/nftables

  • ainiriand 3 hours ago

    If you look closely to iptables, iptables looks back at you.

mixedbit 10 hours ago

For containers you will also have own TCP/IP stack similarly to what is shown for VM on the diagram, this is done when a container uses slirp4netns to provide networking. An alternative is to use kernel TCP/IP stack, this is done when pasta is used for networking, diagram on this page shows the details:https://passt.top/passt/about/.

billfruit 11 hours ago

Is it possible we see the diagram as an svg? I am seeing it only as embedded in the pdf, and really difficult to read .

  • makkes 9 hours ago

    Click on "Download" below the embedded PDF viewer and you'll get the PDF.

colordrops 12 hours ago

I'm surprised to realize I'm familiar with most of the stack just from decades of Linux usage and no formal study of the stack.

roomey 12 hours ago

I'm not sure if this takes into account para-virtualized networks on VMs, ie. VMware vm's with "virtual" hardware access

It's been a few years for me tho, so perhaps it's covered with the VM section.

Lovely diagram, thanks for sharing it!

  • SSLy 8 hours ago

    These usually attach in the bridge or NAT flow.

phrotoma 4 hours ago

Anyone figure out what the colour scheme means?

alhirzel 6 hours ago

s/Aplication/Application/g

RossBencina 9 hours ago

Any recommendations for a map of Linux user-space network management options?

nolist_policy 9 hours ago

qdisc is too small in this diagram and to easy to miss.

snvzz 10 hours ago

Fools admire complexity.

  • 9dev 9 hours ago

    There’s complication, and there’s complexity. Fools admire complication, engineers design solutions to complex problems. This is a diagram explaining the latter.

    • KronisLV 9 hours ago

      I think it was put pretty well by describing things as accidental complexity (of which you want as little as possible) and essential complexity, which is inherent to the problem domain that you're working with and which there is no way around for.

      The same thing could sometimes fall into different categories as well - like going for a microservices architecture when you need to serve about 10'000 clients in total vs at some point actually needing to serve a lot of concurrent requests at any given time.

      • matu3ba 6 hours ago

        > inherent to the problem domain that you're working with and which there is no way around for

        I'd phrase it to reasonable taken trade-offs for customer/user support and/or selling products.

        > going for a microservices architecture when you need to serve about 10'000 clients

        So far I am only aware of the use case to ship/release fast at cost of technical debt (non-synchronized master) of microservices. As I understand it, this is to a large degree due to git shortcomings and no more efficient/scalable replacement solution being in sight. Or can you explain further use cases with technical necessity?

  • yjftsjthsd-h 2 hours ago

    Where/how would you simplify it without losing features?