On Friday 2011-08-26 11:13, Gáspár Lajos wrote:
>>> The main question is: Why do not we have such a table in the POSTROUTING
>>> chain?
>>If they did not go through nat, the packet's computed state was most
>>likely INVALID or UNTRACKED to begin with. And that you can already
>>filter for in FORWARD.
>I do not get it... If a packet comes from the network then it is
>either goes [...] to FORWARD And there we have nat... If a packet
>comes from the local computer then it leaves out on the OUTPUT
>chain... And there we have nat again... So every packet should be
>tracked at the POSTROUTING chain...

Not every packet is tracked (cf. INVALID/UNTRACKED as I said above).

>Yes, I can filter at the FORWARD and the OUTPUT chain... But why
>can't I at the POSTROUTING??? I do not seek alternatives... (I found
>them... :D) I want to know why it is not "enabled" ???

Nobody needed it so far, because people can filter in FORWARD, and
active hooks have an associated runtime cost.
