conntrack -E -i not allowed?

Alan Ezust alan.ezust at
Thu Nov 9 17:52:10 CET 2006

Thanks for the reply. Ok, I can see how I can generate some IDs, but I first 
want to make sure i have all of the information I need.

When I run conntrack, I only see one protocol number. I think it is a layer4 
protocol (tcp vs udp). If I'm not seeing an l3proto in my output, why might 
that be?

udp      17 12 src= dst= sport=54475 dport=53 
src= dst= sport=53 dport=54475 use=1 mark=0
tcp      6 420332 ESTABLISHED src= dst= sport=1356 
dport=5432 src= dst= sport=5432 dport=1356 [ASSURED] 
use=1 mark=0

On Wednesday 08 November 2006 11:29, Pablo Neira Ayuso wrote:
> Alan Ezust wrote:
> > We need to be able to determine when we get an UPDATE or a DISCONNECT,
> > which connections they correspond to. I assumed that was the purpose of
> > the CT id.
> The purpose was to uniquely identify a connection but we currenlty
> assume that the tuple {src, portsrc, dst, portdst, l3protonum, protonum}
> is enough.
> > Why are you removing it?

Alan Ezust  
Presinet, inc         alan.ezust at
           Victoria, BC,Canada
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20061109/85baabfd/attachment.pgp

More information about the netfilter mailing list