My impression (please correct me if I'm wrong) is that pre is supposed to catch packets coming into the box and post is supposed to catch those going out.
I believe postrouting currently happens before a packet is queued for output. I think it would be better to delay this until after it is dequeued. This would improve accuracy. In particular, the packets that are dropped in queuing should not be processed as outgoing. I'm interested in hearing any counter arguments, and especially things that would be broken by this change. One problem is that it's possible for the same packet to be dequeued twice. Therefore it's important that the processing after dequeue be idempotent. Does anyone know of any actual code that would be impacted by this additional requirement? The main reason I'd like to make this change is that, as part of a packet flooding defense, I expect to drop a lot of packets (at least during an attack) in the queuing section. This would also serve to partly defend the stuff that runs in the postrouting hook, since it would no longer be subject to attack from the packets that were being dropped. In particular, something like a syn flood can be seen as an attack on connection tracking (trying to use up all available connections), so by rate limiting syn's you also protect against that attack -- if new tcp connections are allocated only for the packets that are dequeued. BTW, I'm trying to find out by reading the code, but it would help if I could just find some documentation, or for that matter if someone would just tell me the answers. What code is actually run at which places? At the moment I'm mostly interested in conntrack and nat. I understand why dnat has to be done pre-routing. I don't see why snat couldn't also be done there. It occurs to me that when you start taking drops into account, conntrack could/should really track at least two different states, and maybe more. The real question is what states the two different ends of the connections could be in. The packets that come in show something about the state the sender was in when it sent those packets, the packets that go out tell us something about what states the receiver could be in after receiving them (if it does receive them). Any pointers to discussion of these issues are appreciated.