Gabor HALASZ <halas...@freemail.hu> writes: > PÁSZTOR György wrote: > >> "Gabor HALASZ" <halas...@freemail.hu> írta 2008-12-16 09:13-kor: >> >>> PÁSZTOR György wrote: >>> >>>> Igen, de az OUTPUT chain a routing decision előtt van mind a nat, mind a >>>> mangle táblában. >>> >>> Eszerint nem: >>> >>> http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html >> >> Ez a doksi hibás. Ha már felfedezted küldj nekik bugreport! ;-) > > A masik ok a mar emlegetett network internals konyv. Mondjuk harmadiknak > a mar emlegetett traversingoftables faq, amit most ide is masolom > vonatkozo reszet (csak a sorrend miatt, a table/chain specifikacio > nelkul is eleg): > > 3.2 Source local host > > 1. Local process/application (i.e., server/client program) > 2. Routing decision. What source address to use, what outgoing interface > to use, and other necessary information that needs to be gathered. > 3. This is where we mangle packets, it is suggested that you do not > filter in this chain since it can have side effects. > 4....
Lásd http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html 3b ábra alatt: Note that the iptables nat OUTPUT chain is situated after the routing decision. As commented in the previous section [...], this is too late for DNAT. This is solved by rerouting the IP packet if it has been DNAT'ed, before continuing. -- Feri. _________________________________________________ linux lista - linux@mlf.linux.rulez.org http://mlf2.linux.rulez.org/mailman/listinfo/linux
