Florian Weimer <fw@deneb.enyo.de> writes:
>
> Is this extremely important application of the PREROUTING chain
> documented somewhere? Should I feel embarrassed? 8-)
No, I haven't seen it documented explicitly. It's just a fortunate
side effect of the fact that the DROP target can be used anywhere and
there's a fairly general-purpose table ("mangle") that has a
PREROUTING chain.
There's no particular reason for the "filter" table *not* to implement
PREROUTING and POSTROUTING chains (at least not that I can see) except
for a very small performance hit. I guess no one thought there'd be
much of a use for them. And it would break the nice rule of thumb
that a packet only passes through one of the three chains of the
"filter" table (not counting packets throught the loopback interface
which pass through OUTPUT then back through INPUT).
-- Kevin <buhr@telus.net> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Apr 07 2003 - 22:00:16 EST