Re: How does netfilter decide which in/out-interface a packet has

From: Christoph Anton Mitterer  <christoph.anton.mitterer@physik.uni-muenchen.de>
To: netfilter@vger.kernel.org
Subject: Re: How does netfilter decide which in/out-interface a packet has
Date: Sun, 07 Mar 2010 04:14:26 +0100	[thread overview]
Message-ID: <1267931666.9967.6.camel@fermat.scientia.net> (raw)
In-Reply-To: <4B903B4F.2030708@plouf.fr.eu.org>

[-- Attachment #1: Type: text/plain, Size: 2379 bytes --]

Ok... I think I'm confused now ^^

Before you've said:
>> How does netfilter decide which in/out-interface a packet has?
>It doesn't. The packet decides which input interface is arrives on, and
>the routing decision decides which output interface it leaves.

So what exactly does it mean?
a) If the packet physically arrives on e.g. eth0 ("by wire") it's
interface is counted as eth0, regardless of what its destination-address
says?

b) If it appears on any interface (e.g. eth0 or eth1) its interface is
counted as that one that matches the destination address on the
packet,... even if it appears physically on eth0 but if it still hast
the destination address of eth1

On Thu, 2010-03-04 at 23:59 +0100, Pascal Hambourg wrote:
> Christoph Anton Mitterer a écrit :
> > So the kernel basically sees when packets do not leave the box but are
> > just "internal traffic" and uses lo for this?
> > I assume this also applies for byte counters like RX/TX packets and
> > they're accounted on lo?
> Yes and yes.
Do you perhaps know where I can see this in the code?
And is this also the case for v6?

> >>> "incoming traffic (from remote):
> >>> 99.99.99.99 --> 127.x.x.x     => is that possible at all? how would  
> >>> the in=/out= be?
> >> eth0, but the packet is discarded after PREROUTING by the input routing
> >> decision which prohibits receiving a packet with a loopback address from
> >> outside (a non loopback interface).
> > Ah great,... so I don't have to manually drop such stuff... right?
> > Are such packets dropped (like DROP) or are the rejected with error
> > codes?
> They are silently discarded, like DROP. Some of these packets are logged
> when sysctl net.ipv4.conf.*.log_martians is enabled. Otherwise you can
> log (and drop) them with iptables.
a) Uhmm... wait... you say "otherwise" does this mean if log_martians is
disabled they are neither logged NOR discarded?
b) What is all regarded as "martians" here,.. there are different
definitions on the web...

> Note that I observed once that the kernel allowed sending IPv6 packets
> outside the host with the source address ::1 (IPv6 loopback address),
> which should be prohibited. I didn't test all "impossible" addresses but
> there may be other cases. So it may be worth filtering with ip(6)tables
> anyway.
argl...

Thanks,
Chris.

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3387 bytes --]