flaw with forwarding
Tommi Virtanen
tv@havoc.fi
Thu, 25 Nov 1999 11:07:58 +0200
On Thu, Nov 25, 1999 at 02:25:00PM +1100, Jeff Miller wrote:
> With this setup, however, packets are still being forwarded. Is this a
> flaw in my logic or netfilter as I would have thought that the packet
> wouldn't have been let in the ethernet interfaces to be forwarded. I refer
> you to the diagram from netfilter-hacking-HOWTO.txt
>
> A Packet Traversing the Netfilter System:
>
> --->[1]--->[ROUTE]--->[3]--->[4]--->
> | ^
> | |
> | [ROUTE]
> v |
> [2] [5]
> | ^
> | |
> v |
>
Flaw in your logic. ipchains in 2.2 made forwarded packets pass
input and output chains too, netfilter does not. And this is
A Good Thing(tm). The input filter is in hook [2], and output
in hook [5] - not in [1] and [4], respectively.
--
tv@{{hq.yok.utu,havoc,gaeshido}.fi,{debian,wanderer}.org}
unix, linux, debian, networks, security, | Rather than a beep
kernel, TCP/IP, C, perl, free software, | Or a rude error message,
mail, www, sw devel, unix admin, hacks. | These words: "File not found."