<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - CT target unclear"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1496">1496</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>CT target unclear
</td>
</tr>
<tr>
<th>Product</th>
<td>iptables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>Gentoo
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>iptables
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>mhoermann@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>In the CT target section in the iptables-extension(8) manpage it says
--ctevents event[,...]
Only generate the specified conntrack events for this
connection. Possible event types are: new, related, destroy, reply, assured,
protoinfo, helper, mark (this refers to the ctmark, not nf‐
mark), natseqinfo, secmark (ctsecmark).
--expevents event[,...]
Only generate the specified expectation events for this
connection. Possible event types are: new.
It would be useful to have at least a short description for each event types,
similar to the one we can find in the comments in the kernel source code with
the enum it seems to be based on in
include/uapi/linux/netfilter/nf_conntrack_common.h
/* Connection tracking event types */
enum ip_conntrack_events {
IPCT_NEW, /* new conntrack */
IPCT_RELATED, /* related conntrack */
IPCT_DESTROY, /* destroyed conntrack */
IPCT_REPLY, /* connection has seen two-way traffic */
IPCT_ASSURED, /* connection status has changed to assured */
IPCT_PROTOINFO, /* protocol information has changed */
IPCT_HELPER, /* new helper has been set */
IPCT_MARK, /* new mark has been set */
IPCT_SEQADJ, /* sequence adjustment has changed */
IPCT_NATSEQADJ = IPCT_SEQADJ,
IPCT_SECMARK, /* new security mark has been set */
IPCT_LABEL, /* new connlabel has been set */
IPCT_SYNPROXY, /* synproxy has been set */
#ifdef __KERNEL__
__IPCT_MAX
#endif
};
It would also be good to clarify what "generating events" means, from my
surface inspection of the code it seems to mean events for userspace, not
events that affect the conntrack tables themselves but I might be wrong about
that.
In particular it would be good to make it clear what the distinction between
generating only some events here and limiting tracking with -m conntrack
--ctstate ... -j CT --notrack or -m conntrack --ctstatus ... -j CT --notrack
are for the same state/status/event name (e.g. new for --ctstate and assured
for --ctstatus).</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>