Hello. I am trying to set up a system where netfilter module that is built-in to the kernel is the only thing that can mangle the packet eventually...in other words, if the user mangles the packet, the kernel can mangle it later but no other netfilter/iptable can mangle it after the kernel mangles it. Does it make sense? How can I impose such rule? Is there a way to do something like that? I'm using SELinux by the way, and if you know of a way to do that in SELinux, that would be fine, too... Also another thing...is there a way for a program to send a packet directly to the interface thereby bypassing iptables rules that I set up? If there is, is there a way to prevent it? Thank you. John
