Jonathan Tripathy a écrit : > > Ok, so as I understand Linux, and please correct me if I'm wrong, when a > packet comes into a physical interface on a Linux machine, regardless of > the status of the net.ipv4.conf.<interface>.forwarding, Linux will > always put the packet onto a "chain". This will either be the INPUT > chain or the FORWARD chain. Is that correct? This is correct if you consider only the IP layer (IP stack, IP packets). If you consider the link layer (bridging, VLAN, bonding, tunnels...) things get more complicated. > Next, if the packet it destined for an IP of one of the local > interfaces, it puts it onto the INPUT chain, correct? Correct. > However if the packet it destined for a non-local host, it puts it onto > the FORWARD chain, correct? Only if net.ipv4.ip_forward=1 or net.ipv4.conf.<interface>.forwarding=1, and the TTL is > 0 after being decremented. Otherwise the packet is discarded before entering the FORWARD chain. > Then, when the packet is on the forward chain, it depends on if the > incoming interface is connected to a bridge or not. No, it doesn't. In the IP stack, the interface type does not not matter. Only the routing table matters. Jan's diagram pointed to by Karel Rericha explains paths in the IP layer and the link layer. However bridge-netfilter (the capability to send bridged packets through {ip,arp,ipv6}tables chains whereas they are not processed by the IP stack) makes things a bit more complicated. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html