Am 12.08.21 um 03:37 schrieb Harry:
On Thu, Aug 12, 2021 at 2:39 AM Florian Westphal <fw@xxxxxxxxx> wrote:
Harry <simonsharry@xxxxxxxxx> wrote:
On Wed, Aug 11, 2021 at 7:59 PM Florian Westphal <fw@xxxxxxxxx> wrote:
I guess, my confusion is: Even if routing happens before OUTPUT, why
in the Netfilter Packet Flow diagram above there is no arrow going to
mangle:INPUT *also* apart from the raw:OUTPUT arrow already shown in
the diagram?
Because packets never move directly from OUTPUT to INPUT.
packet is out on the wire!
In the current diagrams and explanations -- obviously yes!
I guess, the gist or the spirit of my original question was (and still
is): It would've been more consistent and logical, and /more 'elegant'
to have had Netfilter make the packet go through the same chains
(either INPUT or FORWARD) once the (very first) routing decision has
been taken on it.
again: it's no INPUT when you talk to a foreign machine
again: it's no FORWARD when you are not a router
when you are talking to 127.0.0.1 *it is* INPUT on "lo" and it can be
filtered, my webservers can't talk to samba on the same machine
when you talk to other machines with locally-generated packets it's for
the sake of god OUTPUT
