Re: Stateless dropping of packets

Kevin Buhr (buhr@telus.net)
02 Apr 2003 09:00:18 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Martin J. Bligh: "[Bug 531] New: cdrom ioctl CDROM_SEND_PACKET broken"
Previous message: Gerd Knorr: "[patch] add i2c_clientname()"

Florian Weimer <fw@deneb.enyo.de> writes:
>
> Is this extremely important application of the PREROUTING chain
> documented somewhere? Should I feel embarrassed? 8-)

No, I haven't seen it documented explicitly. It's just a fortunate
side effect of the fact that the DROP target can be used anywhere and
there's a fairly general-purpose table ("mangle") that has a
PREROUTING chain.

There's no particular reason for the "filter" table *not* to implement
PREROUTING and POSTROUTING chains (at least not that I can see) except
for a very small performance hit. I guess no one thought there'd be
much of a use for them. And it would break the nice rule of thumb
that a packet only passes through one of the three chains of the
"filter" table (not counting packets throught the loopback interface
which pass through OUTPUT then back through INPUT).

-- 
Kevin <buhr@telus.net>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Next message: Martin J. Bligh: "[Bug 531] New: cdrom ioctl CDROM_SEND_PACKET broken"
Previous message: Gerd Knorr: "[patch] add i2c_clientname()"