Will --state NEW,ESTABLISHED,RELATED matches everything?

[Nigel Morse]

> there is another state: INVALID ( meaning that the packet is 
> associated 
> with no known connection )
> so any packets iptables deems as being INVALID will at this 
> point continue 
> along the chain.

Which of course does beg the question that what becomes INVALID rather than
NEW, as I belive that if a connection is dropped from the table for some
reason, the next packet will be a NEW packet even if it only has the "ack"
bit set (in tcp)

The only case I've heard of so far for INVALID is if the connection table is
full and nothing can be dropped - what else matches as INVALID??

Cheers
Nigel