Hi,
>
> note that after flushing and deleting chains, the stop() function
>explicitly sets to ACCEPT the policies of all three "filter" chains,
>all three "nat" chains, but only the PREROUTING and OUTPUT chains of
>"mangle". i'm just curious why it doesn't process all five chains of
>the "mangle" table. any reason for that? i'm just trying to get a
>coherent picture of how these things happen.
>
Interesting observation. It probably stems from this:
Until very recently, you could only do mangle operations
in PREROUTING and OUTPUT. The diagram on:
http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html
still shows this. However, in 2.4.18 (it may have been 2.4.17,
not 100% sure), the mangle5hooks patch written by Brad Chapman
was included in the stable kernel, effectively adding mangle
tables to all 5 netfilter hooks. It's actually the right thing
to do because there are real-life examples of cases where mangling
cannot be done in PREROUTING or OUTPUT (eg. when you need to
mangle based on the MTU of the outgoing interface; you only
know the outgoing interface after routing).
So whether this is a "bug" or not depends on the kernel version
Red Hat will be shipping with (actually, the version number may
be misleading, as Red Hat may be shipping a heavily patched
older kernel). If they ship a kernel with the mangle5hooks, the
script should be modified.
Either way, they had better rewrite the script anyway and grep/awk
the hook names from "iptables -L -t mangle". I remember some issues
reported to this list with the iptables binary that shipped with
a recent RedHat: it was compiled with debugging enabled, hence
if failed some asserts on kernels with the mangle5hooks patch and
started spitting out errors.
Anyway, nice catch!
Regards,
Filip
Title: RE: probably simple questions regarding tables and chains
- probably simple questions regarding tables and chains rpjday
- Re: probably simple questions regarding tables and chai... Tony Earnshaw
- Sneppe Filip
