Le 19/08/2017 à 15:28, /dev/rob0 a écrit :
Network address translation (NAT) only happens in the "nat" table;
this table has no "INPUT" nor "FORWARD" (note: spelling counts! ;) )
for your use.
The nat table has had an INPUT chain for quite some time now. It allows
to do SNAT, but not DNAT.
Filtering is done in the "filter" table, which likewise, has no
"PREROUTING" chain. To some extent you could filter in the "raw"
table, but there's not much benefit to that.
Among the benefits of early filtering in the raw table are :
- avoid the unnecessary conntrack processing and decision routing when
the packet is to be dropped ;
- process packets as they were received, before any transformation in
the mangle and nat tables.
The former benefit can be useful to save CPU cycles on busy machines.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
