Questions on state
Jason Opperisano
opie at 817west.com
Mon Mar 14 02:42:15 CET 2005
On Sun, 2005-03-13 at 19:23, Jeff Simmons wrote:
> Sorry to bother anyone, but I'm new to iptables, and I'm debugging a working
> production machine, so I can't really test things too much. :-(
>
> Is a connection ONLY added to the state table when the first packet matches a
> rule that contains the --state NEW directive, or can it happen in some other
> way?
connections begin getting added to the conntrack table as soon as the
ip_conntrack module is loaded.
> When --state INVALID is matched, is it done only on the source and destination
> addresses and ports, or is something else also involved?
if the tcp_window_tracking patch is applied--sequence and acknowledgment
numbers are also examined.
> Are NAT 'states' available for examination anywhere, like
> /proc/net/ip_conntrack?
yes.
-j
--
"Mr. Simpson, why are you here?
Don't say revenge! Don't say revenge!
Revenge?
That's it! I'm outta here!"
--The Simpsons
More information about the netfilter
mailing list