On 24/08/10 15:44, Pascal Hambourg wrote:
Jonathan Tripathy a écrit :
Ok, so as I understand Linux, and please correct me if I'm wrong, when a
packet comes into a physical interface on a Linux machine, regardless of
the status of the net.ipv4.conf.<interface>.forwarding, Linux will
always put the packet onto a "chain". This will either be the INPUT
chain or the FORWARD chain. Is that correct?
This is correct if you consider only the IP layer (IP stack, IP
packets). If you consider the link layer (bridging, VLAN, bonding,
tunnels...) things get more complicated.
Next, if the packet it destined for an IP of one of the local
interfaces, it puts it onto the INPUT chain, correct?
Correct.
However if the packet it destined for a non-local host, it puts it onto
the FORWARD chain, correct?
Only if net.ipv4.ip_forward=1 or net.ipv4.conf.<interface>.forwarding=1,
and the TTL is> 0 after being decremented. Otherwise the packet is
discarded before entering the FORWARD chain.
Then, when the packet is on the forward chain, it depends on if the
incoming interface is connected to a bridge or not.
No, it doesn't. In the IP stack, the interface type does not not matter.
Only the routing table matters.
Jan's diagram pointed to by Karel Rericha explains paths in the IP layer
and the link layer. However bridge-netfilter (the capability to send
bridged packets through {ip,arp,ipv6}tables chains whereas they are not
processed by the IP stack) makes things a bit more complicated.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
I think what I am getting confused with is how am I able to use the
FORWARD chain in iptables with my bridge setup, even though forwarding
is disabled?
Thanks
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html