Re: Netfilter internal packet flow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-------- Original-Nachricht --------
> Datum: Thu, 25 Mar 2010 11:14:18 +0100
> Von: Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx>
> An: netfilter@xxxxxxxxxxxxxxx
> Betreff: Re: Netfilter internal packet flow

> > According to my testing so far (linux kernel 2.6.26 / debian lenny),
> > the behaviour of these packets seems to contradict the documents and
> > graphics I have seen. Such packets seem to go through the INPUT and
> > OUTPUT chains of the FILTER table and through one or two chains of the
> > NAT table (I just can't remember exactly at the moment), but not through
> > the PREROUTING chain of the NAT table. This is confusing ...
> 
[...]
> When a packet is looped back, it reaches the conntrack confirm after
> POSTROUTING, so it skips the nat PREROUTING chain. Anyway that makes
> sense : if the destination could be changed in PREROUTING, the packet
> may need to be re-routed through another interface but I don't think
> there is a routing decision after PREROUTING for the loopback (routing
> decision already took place on output). If you need DNAT on loopback,
> you can do it in OUTPUT.

Pascal,

thank you very much for your valuable time and the comprehensive explanation. I think I have got it now. Nevertheless, it would be nice to have some sort of graphics comprising really all of the packet flow for future reference and for showing to others.

I have seen many kinds of such pictures, from obviously wrong to (what I would consider) high quality. But none of these pictures seems to originate from the netfilter / iptables developers, and I am still not sure if the graphics I have mentioned in my original post are correct in every aspect.

So does anyone know about "official" graphics or an "official" complete explanation of the packet flow in netfilter? Or a good book? The reference material which is mentioned on the netfilter homepage doesn't help me; it seems to be mostly outdated and incomplete.

Thank you very much,

Peter

-- 
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux