"raw" table versus "filter" table - David TAILLANDIER

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: David TAILLANDIER - DIGI VALUE <david.taillandier@digi-value.fr>
To: netfilter@vger.kernel.org
Subject: "raw" table versus "filter" table
Date: Wed, 18 Nov 2015 22:47:02 +0100	[thread overview]
Message-ID: <564CF1D6.9000709@digi-value.fr> (raw)


Hi,

according to the well-known netfilter schematic:
http://inai.de/images/nf-packet-flow.png
the "raw" table is processed before the "filter" table.

I tested it with some usual commands without problem:
    iptables --table raw --append PREROUTING --source 1.2.3.4 --jump REJECT
    iptables --table raw --append PREROUTING --in-interface lo --jump ACCEPT

- the packets are handled sooner, without the need to go though
  conntrack+mangle+nat+routing. So less CPU/memory stress (and in turn
  lightly compensated by the fact the iptable_raw module has to be
  loaded ?)
- only one rule in case the box is also a router (won't be ok for
  every rules, obviously) because there is no need to add the same rule
  for filter/forward

The documentations I found always describe the raw table to be used in
strict cases. But none give even the smallest justification.

--> Is there any reasons not to use the raw table, apart dogmatic ones ?

next             reply	other threads:[~2015-11-18 21:47 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-18 21:47 David TAILLANDIER - DIGI VALUE [this message]
2015-11-19  0:17 ` "raw" table versus "filter" table Neal P. Murphy
2015-11-19  8:10 ` Pascal Hambourg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=564CF1D6.9000709@digi-value.fr \
    --to=david.taillandier@digi-value.fr \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox