On 07/04/2017 08:53 PM, Pascal Hambourg wrote: > Le 04/07/2017 à 03:14, Robert White a écrit : >> >> I've honestly go no clue why you cant use --in-interface in a >> POSTROUTING chain. > > Because the POSTROUTING chains also see packets that are generated > locally and have no input interface. Wouldn't that just be a mismatch then? Equivalent to a NULL (in the database usage of the term) where all tests against a missing interface simply fail. In the alternate, locally generated packets would seem to come from the loop/local interface. I suppose the mismatch logic could be expensive though, I don't know where this code base's relative efficiencies lie. Of course this idea may be well-travelled and settled ground. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
