Inside Linux: A Deep Dive into the TCP/IP Stack Architecture

TCP/IP Four‑Layer Model

The TCP/IP model defines four conceptual layers: Link, Internet, Transport, and Application. Linux implements these layers in its kernel networking stack.

Linux Kernel Network Stack (Top‑Down)

1. Socket Layer (L4)

Provides the BSD socket API (e.g., socket(), bind(), listen(), accept(), send(), recv()) and abstracts protocol families such as TCP, UDP, ICMP, RAW, PACKET, and NETLINK. Socket options allow fine‑grained control of behavior.

2. TCP/UDP Layer (Transport)

Implements TCP connection management, state machine, retransmission timers, sliding‑window flow control, and congestion‑control algorithms. UDP processing is stateless and handles datagram transmission.

3. IP Layer (Network)

Handles IPv4/IPv6 packet fragmentation and reassembly, header field processing (TTL, TOS/DSCP/ECN, checksum, options), and both inbound decapsulation and outbound encapsulation. Also provides multicast support and ICMP handling.

4. Netfilter Framework

Provides five hook points—PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING—through which packets traverse a series of tables:

NAT : address and port translation.

mangle : modify packet fields such as TOS/DSCP/ECN.

filter : basic packet filtering.

raw : mark packets to bypass connection‑tracking.

conntrack : stateful connection tracking for firewalls and NAT.

5. Routing Subsystem

Implements the Forwarding Information Base (FIB) using hash‑based lookups (LC‑tries) and supports policy routing. Provides three‑layer forwarding decisions (local, broadcast, and forwarding).

6. Neighbor Subsystem

Manages ARP (IPv4) and NDP (IPv6) tables, handling entry creation, updates, aging, and state transitions. Exposes APIs for MAC address resolution.

7. Link‑Layer Driver (L2)

Implements Ethernet bridges, forwarding database (FDB) management, port handling, Spanning Tree Protocol (STP), VLAN tagging, and other IEEE 802.x protocols. Provides MAC‑level forwarding.

8. Packet‑Type Dispatch

Defines a list of protocol handlers and packet‑type identifiers used by the link layer to route incoming frames to the appropriate subsystem (e.g., IP, ARP, IPv6).

9. Traffic Control (TC)

Provides queuing disciplines (qdisc) for packet buffering, classes for hierarchical policy representation, and filters to direct packets to specific classes. Enables rate limiting, shaping, and QoS enforcement.

10. Hardware Driver Layer

Manages network device drivers and supports performance optimizations such as RPS, RFS, XPS, GRO, GSO, and TSO. Handles soft‑IRQ processing via NAPI, DMA, and various NIC implementations.

11. Kernel Configuration Interfaces

Runtime network configuration is exposed through: /proc/net – statistics and protocol‑specific information. /proc/sys/net – tunable sysctl parameters (e.g., ipv4.ip_forward). /sys/class/net/<dev> – per‑interface attributes such as MTU, carrier state, and statistics.

Key Takeaways

The Linux networking stack mirrors the TCP/IP model while adding extensible hook points (netfilter), a flexible routing subsystem, neighbor resolution, a full‑featured link‑layer driver framework, and powerful traffic‑control mechanisms. These components together enable both stateless and stateful packet filtering, NAT, policy routing, and high‑performance data‑plane processing.