<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - CT target unclear"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1496">1496</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>CT target unclear

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>iptables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>x86_64

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Gentoo

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>iptables

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>netfilter-buglog@lists.netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>mhoermann@gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>In the CT target section in the iptables-extension(8) manpage it says

       --ctevents event[,...]

              Only  generate  the  specified conntrack events for this

connection. Possible event types are: new, related, destroy, reply, assured,

protoinfo, helper, mark (this refers to the ctmark, not nf‐

              mark), natseqinfo, secmark (ctsecmark).

       --expevents event[,...]

              Only generate the specified expectation events for this

connection.  Possible event types are: new.

It would be useful to have at least a short description for each event types,

similar to the one we can find in the comments in the kernel source code with

the enum it seems to be based on in

include/uapi/linux/netfilter/nf_conntrack_common.h

/* Connection tracking event types */

enum ip_conntrack_events {

        IPCT_NEW,               /* new conntrack */

        IPCT_RELATED,           /* related conntrack */

        IPCT_DESTROY,           /* destroyed conntrack */

        IPCT_REPLY,             /* connection has seen two-way traffic */

        IPCT_ASSURED,           /* connection status has changed to assured */

        IPCT_PROTOINFO,         /* protocol information has changed */

        IPCT_HELPER,            /* new helper has been set */

        IPCT_MARK,              /* new mark has been set */

        IPCT_SEQADJ,            /* sequence adjustment has changed */

        IPCT_NATSEQADJ = IPCT_SEQADJ,

        IPCT_SECMARK,           /* new security mark has been set */

        IPCT_LABEL,             /* new connlabel has been set */

        IPCT_SYNPROXY,          /* synproxy has been set */

#ifdef __KERNEL__

        __IPCT_MAX

#endif

};

It would also be good to clarify what "generating events" means, from my

surface inspection of the code it seems to mean events for userspace, not

events that affect the conntrack tables themselves but I might be wrong about

that.

In particular it would be good to make it clear what the distinction between

generating only some events here and limiting tracking with -m conntrack

--ctstate ... -j CT --notrack or -m conntrack --ctstatus ... -j CT --notrack

are for the same state/status/event name (e.g. new for --ctstate and assured

for --ctstatus).</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>