Hi All,
There are some statements that PREROUTING modifications are not possible
on packets transmitted via loopback. It seems that there is some kind of
"short-circuit" when sending packets from localhost to localhost, I
guess for speed advantage.
The image
http://upload.wikimedia.org/wikipedia/de/5/5f/Nfk-traversal.png states
that a packet would have to enter the kernel with ip_rcv to pass the
complete netfilter architecture again, but loopback uses netif_rx(skb)
to feedback sent packets.
Is the assumption correct, that a modified loopback module or some other
virtual network module could feed back packets in a way that the pass
the complete filtering arch or would the local routing tables make any
efforts useless (even when local routing is modified)? Has someone
already used such a thing for iptables testing? Or would two connected
tun devices (local tunnel) do the trick?
greetings, Roman
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
