Hi all, (This is my first time posting to this list, so apologies if this is not the correct place to ask.) This page on the Netfilter wiki puts the output hook after the routing decision: https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks However, the iptables man page says that mangle/OUTPUT, nat/OUTPUT and security/OUTPUT are "for altering locally-generated packets before routing", whereas raw/OUTPUT and filter/OUTPUT are "for locally-generated packets" (before routing I assume). This seems to contradict the schematic (or perhaps the schematic is incomplete and there is more than one routing decision on the path from the local process to the output interface). Combining what the man page says with the table of priorities given on the above wiki page, I get the following: Local process -> routing decision -> raw/OUTPUT -> connection tracking -> mangle/OUTPUT -> nat/OUTPUT -> routing decision -> filter/OUTPUT -> security/OUTPUT -> routing decision -> ... Is this right? If so, why was Netfilter designed to have so many routing decision points? Why doesn't the schematic on the wiki show all of the points where a routing decision happens on the path from local process to output interface? Thanks! Andrew
