flaw with forwarding

Jeff Miller jeffm@dynamite.com.au
Thu, 25 Nov 1999 14:22:49 +1100

I think I may have found a flaw in netfilter with regard to forwarding. 
The system I'm using is a fresh installation of redhat 6.1 with the kernel
upgraded to 2.3.25 and netfilter 0.1.12

the test setup is...

     pc1 ---------- netfilter ------- the world

after booting and insmod-ing iptables. I change the policies as follows

input: drop
forward: accept
output: drop

and no nat.

With this setup, however, packets are still being forwarded. Is this a
flaw in my logic or netfilter as I would have thought that the packet
wouldn't have been let in the ethernet interfaces to be forwarded. I refer
you to the diagram from netfilter-hacking-HOWTO.txt

A Packet Traversing the Netfilter System:

                        |            ^
                        |            |
                        |         [ROUTE]
                        v            |
                       [2]          [5]
                        |            ^
                        |            |
                        v            |

comment welcomed,