flaw with forwarding

Tommi Virtanen tv@havoc.fi
Thu, 25 Nov 1999 11:07:58 +0200


On Thu, Nov 25, 1999 at 02:25:00PM +1100, Jeff Miller wrote:
> With this setup, however, packets are still being forwarded. Is this a
> flaw in my logic or netfilter as I would have thought that the packet
> wouldn't have been let in the ethernet interfaces to be forwarded. I refer
> you to the diagram from netfilter-hacking-HOWTO.txt
> 
> A Packet Traversing the Netfilter System:
> 
>           --->[1]--->[ROUTE]--->[3]--->[4]--->
>                         |            ^
>                         |            |
>                         |         [ROUTE]
>                         v            |
>                        [2]          [5]
>                         |            ^
>                         |            |
>                         v            |
> 

	Flaw in your logic. ipchains in 2.2 made forwarded packets pass
        input and output chains too, netfilter does not. And this is
        A Good Thing(tm). The input filter is in hook [2], and output
        in hook [5] - not in [1] and [4], respectively.
-- 
tv@{{hq.yok.utu,havoc,gaeshido}.fi,{debian,wanderer}.org}
unix, linux, debian, networks, security, | Rather than a beep
kernel, TCP/IP, C, perl, free software,  | Or a rude error message,
mail, www, sw devel, unix admin, hacks.  | These words: "File not found."