* Netfilter flow schematic: routing decision and output hook question
@ 2021-10-10 23:52 Andrew Bate
0 siblings, 0 replies; only message in thread
From: Andrew Bate @ 2021-10-10 23:52 UTC (permalink / raw)
To: netfilter
Hi all,
(This is my first time posting to this list, so apologies if this is
not the correct place to ask.)
This page on the Netfilter wiki puts the output hook after the routing decision:
https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
However, the iptables man page says that mangle/OUTPUT, nat/OUTPUT and
security/OUTPUT are "for altering locally-generated packets before
routing", whereas raw/OUTPUT and filter/OUTPUT are "for
locally-generated packets" (before routing I assume).
This seems to contradict the schematic (or perhaps the schematic is
incomplete and there is more than one routing decision on the path
from the local process to the output interface).
Combining what the man page says with the table of priorities given on
the above wiki page, I get the following:
Local process -> routing decision -> raw/OUTPUT -> connection tracking
-> mangle/OUTPUT -> nat/OUTPUT -> routing decision -> filter/OUTPUT ->
security/OUTPUT -> routing decision -> ...
Is this right? If so, why was Netfilter designed to have so many
routing decision points?
Why doesn't the schematic on the wiki show all of the points where a
routing decision happens on the path from local process to output
interface?
Thanks!
Andrew
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-10-10 23:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-10 23:52 Netfilter flow schematic: routing decision and output hook question Andrew Bate
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.