* PREROUTING doesn't catch all packets?
@ 2003-02-19 19:18 Michael Gundlach
2003-02-19 20:19 ` Patrick Schaaf
0 siblings, 1 reply; 3+ messages in thread
From: Michael Gundlach @ 2003-02-19 19:18 UTC (permalink / raw)
To: netfilter-devel
Hi again everyone,
I have the following iptables rules on my bridging Linux box:
iptables -t nat -F
iptables -t nat -A PREROUTING -j QUEUE
iptables -t nat -A OUTPUT -j QUEUE
I then have a box connected to one NIC of the bridge telnet to a box
connected to the other NIC of the bridge. I use libipq to catch all
packets, print them out, and reinject them.
If I understand things correctly, all packets coming in on either bridge
interface pass through the PREROUTING hook, so I should see every single
one. However, all I see (aka, all that ipq_read catches) is the SYN packet
from the client to the server.
Worse yet, when I add
iptables -A FORWARD -j QUEUE
to the list, I see every packet - and the SYN packet twice. So all packets
hit the FORWARD chain, but only the SYN packet hits the PREROUTING chain!
Am I misusing the nat table or something? Shouldn't I be able to see all
packets? (I need to use PREROUTING for an application that is modifying
the destination IP of incoming packets, so "use the FORWARDING chain
instead" isn't a sufficient answer.)
Thanks for your help, everybody.
Michael
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: PREROUTING doesn't catch all packets?
2003-02-19 19:18 PREROUTING doesn't catch all packets? Michael Gundlach
@ 2003-02-19 20:19 ` Patrick Schaaf
2003-02-19 22:50 ` Michael Gundlach
0 siblings, 1 reply; 3+ messages in thread
From: Patrick Schaaf @ 2003-02-19 20:19 UTC (permalink / raw)
To: Michael Gundlach; +Cc: netfilter-devel
> iptables -t nat
The NAT table NEVER sees any packet belonging to already existing
conntrack entries. The sole purpose of the NAT table is to select
NAT actions for NEW conntrack entries.
Thus, the behaviour you see, is the desired mode of operation,
regardless of bridging. It is the way the NAT table is intended
to operate.
> I need to use PREROUTING for an application that is modifying
the destination IP of incoming packets, so "use the FORWARDING chain
instead" isn't a sufficient answer.
The answer may be "use the PREROUTING chain of the '-t mangle' table".
best regards
Patrick
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: PREROUTING doesn't catch all packets?
2003-02-19 20:19 ` Patrick Schaaf
@ 2003-02-19 22:50 ` Michael Gundlach
0 siblings, 0 replies; 3+ messages in thread
From: Michael Gundlach @ 2003-02-19 22:50 UTC (permalink / raw)
To: netfilter-devel
Yep, that did the trick. thanks a lot.
michael
On Wed Feb 19, 2003 at 09:19PM, Patrick Schaaf wrote:
> > iptables -t nat
>
> The NAT table NEVER sees any packet belonging to already existing
> conntrack entries. The sole purpose of the NAT table is to select
> NAT actions for NEW conntrack entries.
>
> Thus, the behaviour you see, is the desired mode of operation,
> regardless of bridging. It is the way the NAT table is intended
> to operate.
>
> > I need to use PREROUTING for an application that is modifying
> the destination IP of incoming packets, so "use the FORWARDING chain
> instead" isn't a sufficient answer.
>
> The answer may be "use the PREROUTING chain of the '-t mangle' table".
>
> best regards
> Patrick
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-02-19 22:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-02-19 19:18 PREROUTING doesn't catch all packets? Michael Gundlach
2003-02-19 20:19 ` Patrick Schaaf
2003-02-19 22:50 ` Michael Gundlach
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.