On Wed, 2 Jun 2004, Kevin D. White wrote: > Netfilter is made up of 5 subsystems, Pre-routing, > Input, Forward, Output and Post-routing. These > subsystems are governed by three tables, nat, magle, > filter. The elements of these tables have the > following characteristics. First there is a 'hook' or > subsystem identifier (i.e. PREROUTING, INPUT, FORWARD, > etc), then there is a condition and finally there is > an Action/Target. All received packets begin in the > Pre-routing subsystem, the Pre-routing subsystem > accesses the nat table and looks for all it's hooks > (all elements with PREROUTING). Then the same is done > with the mangle table. A routing decision is made, > and the packet would either move into the Input > subsystem or the Forward subsystem were the tables for > those subsytems would be accessed and so on. All > packets end up in the Post-routing subsystem before > leaving an interface. Sorry, but the wording used above is incorrect and misleading. Netfilter is *not* made of five subsystems and PREROUTING etc are definitely not subsystems of netfilter. > I am intentionally ignoring user created hooks. Just consider if you not ignore user created chains (not hooks): were they also netfilter "subsystems"? Hooks, built-in chains, subsystems and tables are well covered in the howtos and the tutorials. Please read them. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
