From: Mark Butler <[EMAIL PROTECTED]> Date: Fri, 24 Mar 2006 22:37:26 -0700
> On a more general note, I find the idea that a current dst entry doesn't > actually reflect the interface (even a logical interface) and nexthop > that will be used to deliver a packet a little disturbing. It would > seem to me that any filter that is going to re-route a packet to a > different address or a different interface should be a logical device > (with its own IP address) or logical interface, respectively. > Otherwise what is going on is completely invisible to the transport > protocol, as well as users of tools like traceroute. Welcome to firewalls and NAT. You don't know anything until the packet is examined by the filter, because it's impossible to know what rule would be matched until the packet is actually built, since the rule matching is on packet contents (such as the source and destination IP addresses, and source and destination ports, but more obscure mathing is also possible, like matching by TOS or other IP header flags). - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
