Re: Theoretical question: need for filter table in the POSTROUTING chain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Friday 2011-08-26 11:13, Gáspár Lajos wrote:
>>>
>>> The main question is: Why do not we have such a table in the POSTROUTING
>>> chain?
>>
>>If they did not go through nat, the packet's computed state was most
>>likely INVALID or UNTRACKED to begin with. And that you can already
>>filter for in FORWARD.
>
>I do not get it... If a packet comes from the network then it is
>either goes [...] to FORWARD And there we have nat... If a packet
>comes from the local computer then it leaves out on the OUTPUT
>chain... And there we have nat again... So every packet should be
>tracked at the POSTROUTING chain...

Not every packet is tracked (cf. INVALID/UNTRACKED as I said above).

>Yes, I can filter at the FORWARD and the OUTPUT chain... But why
>can't I at the POSTROUTING??? I do not seek alternatives... (I found
>them... :D) I want to know why it is not "enabled" ???

Nobody needed it so far, because people can filter in FORWARD, and
active hooks have an associated runtime cost.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux