Edgar Fuß <ef%math.uni-bonn.de@localhost> writes: >> However, my original question (order of ipf, ipnat and bpf) is still open. > I'm still lacking an answer and am wondering why. > Nobody knows? Very unlikely. > So simple that everyone thinks someone else has answered privately? No. > No-one understands my question? > > On a machine using both IPFilter and NAT and a process using BPF (think tcpdump), > for a frame arriving on an outbound network interface: In which order will that > frame be seen/processed by ipf, ipnat and bpf? > Same for a frame sent via an outbound network interface. I think it's because nobody is really sure, and the way to find out is to read the sources, and you might was well do that yourself. Find the driver you are using, and start reading the receive processing. Look for bpf_mtap or however that is spelled these days and the pfil_hooks calls. That should resolve bpf vs ipf/ipnat. IMHO bpf should happen first, basically the raw packet on receipt, and if not that feels like a bug. As for ipf/nat, that's a question for the ipfilter docs, or the code. But ipf is deprecated, and I suspect the people who knew things like that have mostly moved to npf.
Attachment:
signature.asc
Description: PGP signature