On Friday 2011-08-26 11:13, Gáspár Lajos wrote: >>> >>> The main question is: Why do not we have such a table in the POSTROUTING >>> chain? >> >>If they did not go through nat, the packet's computed state was most >>likely INVALID or UNTRACKED to begin with. And that you can already >>filter for in FORWARD. > >I do not get it... If a packet comes from the network then it is >either goes [...] to FORWARD And there we have nat... If a packet >comes from the local computer then it leaves out on the OUTPUT >chain... And there we have nat again... So every packet should be >tracked at the POSTROUTING chain... Not every packet is tracked (cf. INVALID/UNTRACKED as I said above). >Yes, I can filter at the FORWARD and the OUTPUT chain... But why >can't I at the POSTROUTING??? I do not seek alternatives... (I found >them... :D) I want to know why it is not "enabled" ??? Nobody needed it so far, because people can filter in FORWARD, and active hooks have an associated runtime cost. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
