Re: Theoretical question: need for filter table in the POSTROUTING chain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Friday 2011-08-26 11:13, Gáspár Lajos wrote:
>>> The main question is: Why do not we have such a table in the POSTROUTING
>>> chain?
>>If they did not go through nat, the packet's computed state was most
>>likely INVALID or UNTRACKED to begin with. And that you can already
>>filter for in FORWARD.
>I do not get it... If a packet comes from the network then it is
>either goes [...] to FORWARD And there we have nat... If a packet
>comes from the local computer then it leaves out on the OUTPUT
>chain... And there we have nat again... So every packet should be
>tracked at the POSTROUTING chain...

Not every packet is tracked (cf. INVALID/UNTRACKED as I said above).

>Yes, I can filter at the FORWARD and the OUTPUT chain... But why
>can't I at the POSTROUTING??? I do not seek alternatives... (I found
>them... :D) I want to know why it is not "enabled" ???

Nobody needed it so far, because people can filter in FORWARD, and
active hooks have an associated runtime cost.
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux