OpenRG Hooks Scheme

• There is a different set of hooks for RX and TX.
• Hooks are invoked in a pre-defined order, which is significant.
• Some hooks act on all packets (e.g. Firewall) and some only on packets of a specific type (e.g. DHCP hooks act only on DHCP packets, and disregard others).
• Each hook may (and may not) alter any aspect of the packet. Examples:
  1. The Firewall may perform NAPT (alter IP and UDP/TCP data).
  2. The MSS Clamping hook may modify the MSS value in packet's TCP header.
• Each hook returns an answer, either "handled" or "not handled":
  • Not handled means that regardless of whether the packet was modified, it was not consumed and should continue to the next hook.
  • Handled means the packet was "consumed" - all processing stops.
  • Consumed can one of the following:
    • The packet was dropped completely (e.g. by the firewall).
    • The hook decided to reroute the packet and will take care of further processing. Examples:
      1. The firewall hook may drop unauthorized packets.
      2. The bridge hook may directly forward the packet to another bridged interface, and return "handled" (bypass all normal routing).
• When a hook returns "handled", no more hooks are called, and the hooks mechanism returns "handled". This will result in stopping all packet processing in the Linux Kernel.
• The mechanism allows running different sets of hooks for different devices (e.g. usually Firewall hooks are not run on LAN devices to improve performance).
• Each hook is performance optimized.