On Wednesday 2010-08-04 16:25, Alex Bligh wrote: > >>>> Did you read http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and >>>> http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png ? >>> >>> A useful improvement to those would be documenting where libpcap >>> (which does both input and, less well known, output) samples/injects >>> packets. I /think/ sampling is right on the left and injection right >>> on the right. >> >> pcap grabbing and injection is completely outside any of the graphs >> currently floating around. > > If by 'outside' you mean 'to the extreme left or extreme right' > that was my conclusion. But the absence of any documentation means > this makes debugging with tcpdump (for instance) harder > because you don't know where you are sampling. Well perhaps not extreme. If you inject into a tunnel, it may well walk through Xtables after all - but then of course, only in its encapsulated form. > I'm not 100% sure it is completely outside though. For instance, > if you do tcdump on a bridge device (as opposed to the corresponding > physical participant interface), isn't that after ingress ebtales > processing, but before egress? IE is in the graph somewhere. Huh, all once investigated already. See http://jengelh.medozas.de/images/nf-packet-flow.png for where in/egress happen to be. :) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html