On Monday 10 June 2002 3:52 pm, Ramin Alidousti wrote: > On Mon, Jun 10, 2002 at 01:18:12PM +0100, Antony Stone wrote:
> > Hmmm. Okay - this is beyond my understanding of netfilter - can anyone > > else suggest why icmp packets going through the machine would get logged > > and processed by PREROUTING and FORWARD but not by POSTROUTING ? > Is it not because of the fact that the very first packet of a conn > would go through the whole nat rule set and as soon as a rule is > matched and a conn has been set up, the subsequent packets of that > conn would not go through the whole rule set but get natted and > de-natted by that entry? I thought I read this somewhere... > > So, if you also had a DNAT for that conn in PREROUTING, after the > first initial packet (which sets up the dnat entry), no other packet > of that conn would scan through the PREROUTING rule set including > the LOG rule... > > However, the filter table is always consulted for each and every > packet, that's why you see the LOG in the FORWARD chain... I see what you're saying here, Ramin - basically anything which is being 'automatically' de-NATted because of an entry in the conntracking table doesn't go through the ruleset because (a) that's inefficient, and (b) it might do something which messes up the automatic de-NATting itself. However, it seems like a bit of a 'gotcha' which should be better documented, if you can't LOG any packet you want to, at every stage as it makes its way through your machine...? Antony.
