Hello, Christoph Anton Mitterer a écrit : > > How does netfilter decide which in/out-interface a packet has? It doesn't. The packet decides which input interface is arrives on, and the routing decision decides which output interface it leaves. > I mean the following: > Image I have a host with the following interfaces and addresses: > lo: 127.x.x.x and :1/128 > eth0: 88.88.88.88 > 99.99.99.99 is a remote address (packets come in via eth0) > > Now consider the following cases (source --> destination): > "internal traffic": > 127.x.x.x --> 127.x.x.x => quite clear, in=lo out=lo > 127.x.x.x --> 88.88.88.88 => in=??? out=??? > 88.88.88.88 --> 88.88.88.88 => in=??? out=??? > 88.88.88.88 --> 127.x.x.x => in=??? out=??? lo in all cases. > "incoming traffic (from remote): > 99.99.99.99 --> 127.x.x.x => is that possible at all? how would > the in=/out= be? eth0, but the packet is discarded after PREROUTING by the input routing decision which prohibits receiving a packet with a loopback address from outside (a non loopback interface). > 99.99.99.99 --> 88.88.88.88 => quite clear, in=eth0 out=n/a Yup. > "outgoing traffic (to remote): > 127.x.x.x --> 99.99.99.99 => is that possible at all? Not possible, the output routing decision prohibits sending a packet with a loopback address outside the host (on a non loopback interface). > 88.88.88.88 --> 99.99.99.99 => quite clear, in=n/a out=eth0 Yup. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
