Vineet sez:
No, that's how it was for ipchains, but not under the 2.4 series kernel's netfilter system. It looks kinda like this:
PREROUTING OUTPUT-------------+ | | v v (routing decision)------->FORWARD------->(routing decision)--+ | | | | | v +->INPUT<------------------------------------+ POSTROUTING
^^^^^^^^^^^^^^^^^^^^
Should this connection be here? Can a packet really get into INPUT from the right side? It can't come through FORWARD; I guess it can come from OUTPUT. If that's the case, then maybe it shouldn't pass through the same routing decision as one from FORWARD. Should it look more like this? Oh, I just noticed. Does it really go through *two* routing decisions if it's in the FORWARD path? maybe that second one shouldn't be there.
Incoming | | v PREROUTING | v (routing decision)------->FORWARD------->(routing decision)--------------+ | | | | v v INPUT<--------------------(routing decision)------------------->POSTROUTING | ^ | | | | | | | | OUTPUT | | ^ | v | v Local Process x Local Process y Outgoing
The second question is -----> what is the effect of a rule like this:
iptables -A OUTPUT -out-interface eth0 blah blah blah
How can it know what the output interface is going to be before it's been through the routing decision? Have I got OUTPUT and its routing decision in the wrong order? I guess in that case I'd still need the branch point between INPUT and POSTROUTING. Is it maybe the case that "routing decision" and "branch in this diagram based on a routing decision" are separate concepts? This is complex!!
Thanks, guys, I'm not a kernel hacker. --
------------------------------------------------------------- Jimmy Wilkinson | Perfesser of Computer Science [EMAIL PROTECTED] | The College of Charleston (843) 953-8160 | Charleston SC 29424
If there is one word to describe me, that word would have to be "profectionist". Any form of incompitence is an athema to me. Metathesis??? Don't ax me.
