If all these machine are on the same subnet, connected by a hub, then there is no need for the packets to go through 192.168.0.2 because they do not require routing. Consequently, they cannot be processed by the firewall. The flow is this: 192.168.0.1 -> HUB -> 192.168.0.3. -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Xinwen Fu Sent: Tuesday, March 02, 2004 9:27 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: missed packets Hi, I have three machines in the same subnet (i.e., 192.168.0.1, 192.168.0.2 and 192.168.0.3). The three machines are collected by a hub. So they can communicate with each other directly. Now 192.168.0.1 wants to send a packet to 192.168.0.3. I use "iptables -t mangle -A OUTPUT -j QUEUE" to forward the packet to the user space, where a program changes the destination of this packet to 192.168.0.2. Of course, I change checksum accordingly here and in later steps. When 192.168.0.2 receives the packet, I use iptables -t mangle -A PREROUTING -j QUEUE to forward the packet to the user space, where the destination of the packet is changed to 192.168.0.3. But I could not see any packet sent out by 192.168.0.2 and 192.168.0.2 does receive the packet from 192.168.0.1. What is the possible problem? Thanks! Xinwen Fu
