Interface match in POSTROUTING

All of lore.kernel.org
 help / color / mirror / Atom feed

* Interface match in POSTROUTING
@ 2011-10-09  9:05 "Oleg A. Arkhangelsky"
  2011-10-09 11:01 ` Jan Engelhardt
  0 siblings, 1 reply; 2+ messages in thread
From: "Oleg A. Arkhangelsky" @ 2011-10-09  9:05 UTC (permalink / raw)
  To: netfilter-devel

Hello,

I have a question regarding this piece of code in iptables.c:

                if (strcmp(chain, "POSTROUTING") == 0
                    || strcmp(chain, "OUTPUT") == 0) {
                        /* -i not valid with outgoing packets */
                        if (cs.options & OPT_VIANAMEIN)
                                xtables_error(PARAMETER_PROBLEM,
                                           "Can't use -%c with %s\n",
                                           opt2char(OPT_VIANAMEIN),
                                           chain);
                }

I agree that "-i" is not valid for locally generated packets
(that is what OUTPUT chain for). But for forwarded packets
going through POSTROUTING this is not true. As far as I
understand we can match for both input and output interface
here (as in FORWARD).

So why we need this restriction?

-- 
wbr, Oleg.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Interface match in POSTROUTING
  2011-10-09  9:05 Interface match in POSTROUTING "Oleg A. Arkhangelsky"
@ 2011-10-09 11:01 ` Jan Engelhardt
  0 siblings, 0 replies; 2+ messages in thread
From: Jan Engelhardt @ 2011-10-09 11:01 UTC (permalink / raw)
  To: "Oleg A. Arkhangelsky"; +Cc: netfilter-devel

On Sunday 2011-10-09 11:05, "Oleg A. Arkhangelsky" wrote:

>Hello,
>
>I have a question regarding this piece of code in iptables.c:
>
>                if (strcmp(chain, "POSTROUTING") == 0
>                    || strcmp(chain, "OUTPUT") == 0) {
>                        /* -i not valid with outgoing packets */
>                        if (cs.options & OPT_VIANAMEIN)
>                                xtables_error(PARAMETER_PROBLEM,
>                                           "Can't use -%c with %s\n",
>                                           opt2char(OPT_VIANAMEIN),
>                                           chain);
>                }
>
>I agree that "-i" is not valid for locally generated packets
>(that is what OUTPUT chain for). But for forwarded packets
>going through POSTROUTING this is not true. As far as I
>understand we can match for both input and output interface
>here (as in FORWARD).

Locally generated packets also appear in POSTROUTING.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-10-09 11:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-09  9:05 Interface match in POSTROUTING "Oleg A. Arkhangelsky"
2011-10-09 11:01 ` Jan Engelhardt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.