ypid
commented
9 years ago - '-o lo' and '-i lo' is the default of all Linux firewall configurations I know. Not sure why one would go with something else for that.
Open ypid opened 9 years ago
ypid
commented
9 years ago ypid
commented
9 years ago Maybe you can try it again with this patch. I don’t see a reason why this should be slower.
themighty1
commented
9 years ago I saw the comment in the code //using /mask caused 10+ second lag when calling iptables So the slowness had to do with this, not with -o/-i lo
themighty1
commented
9 years ago In a hipothetical situation (with this patch) when eth0 sends data to 127.* address, lpfw will catch this packet and we don't want that. To mitigate, we would still need the original iptables rule (ie -m iprange ...) which makes this patch redundant.
ypid
commented
9 years ago Outbound: When I force eth0 to sent a packet to 127.0.0.1 using packeth which uses raw sockets than iptables and conntrack are unaware of this: http://stackoverflow.com/questions/110341/tcp-handshake-with-sock-raw-socket.
Inbound: No because eth0 has normally no 127.* address assigned so the packet will never enter the INPUT chain in the filter table.