I suspect that's why nobody identified this behavior in the nat table.
The nat INPUT table didn't even originally exist in early 2.6 kernels
and is rarely used in general.
But given that it exists, the question is whether this is how it's
supposed to behave.
On 5/15/19 01:06, Andre Paulsberg-Csibi wrote:
Was that realy ment for the NAT table and not the FILTER table ?
packets on interface LO rarly end up in the NAT table from my experience
...
Best regards
André Paulsberg-Csibi
Senior Network Engineer - IBM Services AS
-
From: zrm <zrm@xxxxxxxxxxxxxxx>
To: "netfilter@xxxxxxxxxxxxxxx" <netfilter@xxxxxxxxxxxxxxx>
Date: 15/05/2019 06:30
Subject: nat INPUT chain not used for local-to-local packets
Sent by: netfilter-owner@xxxxxxxxxxxxxxx
------------------------------------------------------------------------
I added this rule:
iptables -t nat -A INPUT -p icmp -j LOG
Then when I ping localhost, nothing is logged. If I add the same rule to
nat POSTROUTING, then the packet is logged, implying that nat
POSTROUTING is being traversed for locally-destined locally-generated
packets rather than nat INPUT.
This is not what I would have expected from the documentation.
I tried the same thing with the same chains in the mangle table and in
that case POSTROUTING and INPUT are *both* traversed for local-to-local
packets.
Is this (including the inconsistency between nat and mangle) the
intended behavior for some reason or is it a bug?
Dersom ikke annet fremkommer ovenfor: / Unless stated otherwise above:
International Business Machines AS
NO 931 482 580 MVA Foretaksregisteret
Lakkegata 53, 0187 Oslo, Norway
