<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - conntrack manpage mentions confirmation point at the postrouting hook, does not explain path packet takes"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1497">1497</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>conntrack manpage mentions confirmation point at the postrouting hook, does not explain path packet takes

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>conntrack-tools

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>x86_64

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Gentoo

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>conntrack

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>netfilter-buglog@lists.netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>mhoermann@gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>In the description of the unconfirmed table the conntrack(8) manpage mentions

       unconfirmed:

              This table shows new entries, that are not yet inserted into the

conntrack table. These entries are attached to packets that are traversing the

stack, but did not reach the  confirmation  point

              at the postrouting hook.

It would be very useful to have a paragraph or two in general in the manpage

explaining at which points in the packet's traversal of the kernel network code

the conntrack code does something actively, particularly in relation to the

iptables tables and chains (and possible nft equivalents of course, I don't

know nft yet).

>From a lot of guesswork it seems any mention of -m conntrack or -j CT in

iptables rules enables connection tracking of any packets, whether they

traverse that chain or not?

Then my guess would be that the postrouting hook mentioned here is after the

nat tables' POSTROUTING chain and not the mangle table's one?

It might also be useful to clarify in the iptables(8) manpage in which order

those two are actually processed relative to one another as they both mention

"altering packets as they are about to go out".

It would also be useful to know under which circumstances something is inserted

in that unconfirmed table and when (e.g. before raw PREROUTING/OUTPUT?, only

for new connections or for all packets?...).</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>