I believe the reason they put SNAT at the end is that when we're about to
send out we no longer care what the source address is, but before that we do,
and changing it early would overwrite fields the rest of the network stack is
still using. (Same reason dnat happens first thing. If we redirect it, we
want it the rest of the network stack to use the NEW destination, and among
other things send it out the right interface...)
Principle of "least amount of new code". (Laziness IS one of Larry Wall's
Seven Deadly Virtues in programmers...)
> There is one other problem with rp_filter.... rp_filter violations are
> S I L E N T. You never know when traffic is dropped because of it. Packets
> just disappear.
>
> If it generated printk's it would make it a lot easier to track down
> filtering problems.
There is a logging option, but it needs a lot of extra knobs if you ask me.
(Logging to a file would be nice. I suspect there's a way to do that but I
couldn't find it circa 2.4.3, which is the last time I gave it much thought.
Also "log if last rule triggered". Haven't been bothered enough to break
open the source other than for debugging purposes, though...)
> -Dan
Rob
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/