Hello, I'm unable to understand why in Netfilter there are no INPUT versus FORWARD chain choices right after the packet has traversed the OUTPUT chain? Currently, a locally-generated packet goes straight from OUTPUT to POSTROUTING! Let's say a process on a router host generates a packet. This packet goes to the OUTPUT chain, following which a routing decision is made. Now, this packet could be destined either for the loopback interface, or for one of the host's many ethernet interfaces. If so, why shouldn't Netfilter bring the packet to the same INPUT / FORWARD decision-fork in the path that exists for an incoming packet soon after it has crossed PREROUTING? I have consulted *many* online sources, including Linux Network Administrator's Guide, and the ipables tutorial by Oskar Andreasson, but none of these explain this point at all. Would greatly appreciate it if someone could clarify. Regards, /HS
