Re: Why aren't INPUT and FORWARD chains available to a locally-generated packet?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Harry S <simonsharry@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Why aren't INPUT and FORWARD chains available to a locally-generated packet?
Date: Wed, 11 Aug 2021 16:29:21 +0200	[thread overview]
Message-ID: <20210811142921.GW607@breakpoint.cc> (raw)
In-Reply-To: <CACj4R39Zf=cK5p3-_YtDhvqqBMLd3Jyrk7uhcoc9pTm_PrUhtA@mail.gmail.com>

Harry S <simonsharry@gmail.com> wrote:
> Hello,
> 
> I'm unable to understand why in Netfilter there are no INPUT versus
> FORWARD chain choices right after the packet has traversed the OUTPUT
> chain? Currently, a locally-generated packet goes straight from OUTPUT
> to POSTROUTING!

[..]
> Let's say a process on a router host generates a packet. This packet
> goes to the OUTPUT chain, following which a routing decision is made.

No, for output, routing decision happens before output.

Else you could not filter based on output interface name in OUTPUT.

There is a rerouting check/reroute enforcement in mangle:output
to handle a change in the packet mark.

Same for NAT in output: re-route if the destination ip
changed.

> Now, this packet could be destined either for the loopback interface,
> or for one of the host's many ethernet interfaces. If so, why
> shouldn't Netfilter bring the packet to the same INPUT / FORWARD
> decision-fork in the path that exists for an incoming packet soon
> after it has crossed PREROUTING?

If its loopback, packet ends up using:

OUTPUT -> POSTROUTING -> PREROUTING -> INPUT (or FORWARD).

next prev parent reply	other threads:[~2021-08-11 14:29 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-11 14:12 Why aren't INPUT and FORWARD chains available to a locally-generated packet? Harry S
2021-08-11 14:29 ` Florian Westphal [this message]
     [not found]   ` <CACj4R39Whos6mVwo1CsvR7me61raq2udnxevjBYgMru3V__JGQ@mail.gmail.com>
2021-08-11 21:09     ` Florian Westphal
2021-08-12  1:37       ` Harry
2021-08-12  7:58         ` Reindl Harald
2021-08-11 14:31 ` Reindl Harald
2021-08-11 23:37   ` Harry

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210811142921.GW607@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter@vger.kernel.org \
    --cc=simonsharry@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.