From: Joel Newkirk <netfilter@newkirk.us>
To: Oskar Andreasson <blueflux@koffein.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: Packet chain traversals
Date: Mon, 28 Oct 2002 00:48:01 -0500 [thread overview]
Message-ID: <200210280048.01995.netfilter@newkirk.us> (raw)
In-Reply-To: <Pine.LNX.4.44.0210272214080.12317-100000@laptop1.agatha>
On Sunday 27 October 2002 04:23 pm, Oskar Andreasson wrote:
> On Sun, 27 Oct 2002, Joel Newkirk wrote:
> > On Sunday 27 October 2002 01:50 pm, Oskar Andreasson wrote:
> > In my mind, I always think of the local machine (local processes) as
> > being 'inside' the firewall, with the individual interfaces being
> > separated by it, or the LAN being 'behind' it. I can't think of a
> > useful, non-degenerate example where this isn't a valid perspective, so
> > I've held to it so far.
>
> Try a small backbone or so:).
>
... :^)
> Sounds as a nice idea. I could use one myself once in a while (lousy
> memory). I would really like seeing the mangle/nat/filter stuff added to
> FORWARD/INPUT/OUTPUT though, and it would be even better:)
YWIMC. (Anyone who tried to grab the pic this evening but couldn't I
apologize - I broke down and rebooted to run Photoshop for a few minutes for
curved text entry) try http://newkirk.no-ip.org:83/Traversal-full.png (it's
'full' sized at 2048x1600 and 'full' detail with all built-in chains listed)
I'm probably going to give it a few days, then if I'm satisfied I'll rebuild
it with cleaner text and spacing, and a few flow arrows.
BTW, I'm not happy already with one aspect, but can't see a resolution: I
look at this and picture a packet at 'in', then mangle-pre nat-pre and
routing. If it's forwarded then we have a quantum situation where it could
'be' in either of the forward steps (semi-ovals?) and then to routing again
BEFORE it is really decided which 'out' it is heading for. Now I know how it
really works, but when I look at this I expect the forwarding destination to
already be determined before it hits Mangle Forward, just based on the
diagram construction, and it actually isn't. Oh, well. Unless someone can
suggest an alternative, I'll likely leave it as is. (Yes Oscar, I realized
that splitting it to any half would eliminate this artifact... Damn... :^)
j
next prev parent reply other threads:[~2002-10-28 5:48 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-27 18:03 Packet chain traversals Joel Newkirk
2002-10-27 18:50 ` Oskar Andreasson
2002-10-27 19:21 ` Joel Newkirk
2002-10-27 21:23 ` Oskar Andreasson
2002-10-28 5:48 ` Joel Newkirk [this message]
2002-10-28 6:41 ` Problem With NAT to NAT with IPTABLES hare ram
2002-10-27 18:52 ` Packet chain traversals Oskar Andreasson
2002-10-28 8:32 ` Antony Stone
2002-10-28 21:18 ` Oskar Andreasson
2002-10-28 21:37 ` Antony Stone
2002-10-30 16:11 ` Matthew G. Marsh
2002-10-30 17:22 ` Antony Stone
2002-10-31 16:55 ` Matthew G. Marsh
2002-11-01 22:48 ` Joel Newkirk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200210280048.01995.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=blueflux@koffein.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox