Hi, My question is related to the sequence that rules are evaluated in the Linux Kernel with Netfilter. I'm aware of chains (INPUT, OUTPUT, FORWARD ...) and also tables (filter, nat and mangle) and how they're related. But my question is: imagine a single packet passing trough the machine (PRE_ROUTING, FORWARDING and POS_ROUTING chains). Suppose also that I've got rules in mangle table at PRE_ROUTING, nat at PREROUTING, and in nat at POSTROUTING. So this packet should be evaluated first in mangle at PRE_ROUTING. If a match happens, what happens(besides the rule match action)? 1. The packet continues its flow and its also evaluted in NAT at PREROUTING as well as NAT at POSTROUTING (if it passes the rules, of course) 2. Or the filter stops to evaluate at the VERY FIRST match, without caring about other possible matches withing other tables at the other chains? Putting in a simple way, is the packet evaluated under a unique single rule list or several rules lists -- one for each chain? Thank you all in advance. Best Regards, Jürgen -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
