Hi all, I am trying to write a userspace packet manipulator using libnetfilter_queue and ran into this problem: after compiling nfqnl_test.c and added the following ICMP rule to iptables 'iptables -A INPUT -s 0/0 -p ICMP -j NFQUEUE', so no my table looks like: " Chain INPUT (policy ACCEPT) target prot opt source destination NFQUEUE icmp -- anywhere anywhere NFQUEUE num 0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination " the callback in nfqnl_test.c fires regardless the machine is SENDING or RECEIVING PINGs. I thought the rule 'iptables -A INPUT…" hooks NFQUEUE to the INPUT chain, meaning *only* the incoming ICMP packets get queued. And when I PING /from/ the machine, it should go only go through OUTPUT chain (and subsequently POSTROUTING chain). So why would the callback in nfqnl_test.c get called on both incoming and outgoing PINGs? Am I having some fundamental misunderstanding of the iptable rules?-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
