conntrack -E -i not allowed?

Alan Ezust alan.ezust at presinet.com
Thu Nov 9 17:52:10 CET 2006


Thanks for the reply. Ok, I can see how I can generate some IDs, but I first 
want to make sure i have all of the information I need.

When I run conntrack, I only see one protocol number. I think it is a layer4 
protocol (tcp vs udp). If I'm not seeing an l3proto in my output, why might 
that be?

udp      17 12 src=10.10.201.2 dst=204.174.64.1 sport=54475 dport=53 
src=204.174.64.1 dst=209.53.156.2 sport=53 dport=54475 use=1 mark=0
tcp      6 420332 ESTABLISHED src=10.10.100.3 dst=10.10.1.22 sport=1356 
dport=5432 src=10.10.1.22 dst=10.10.100.3 sport=5432 dport=1356 [ASSURED] 
use=1 mark=0


On Wednesday 08 November 2006 11:29, Pablo Neira Ayuso wrote:
> Alan Ezust wrote:
> > We need to be able to determine when we get an UPDATE or a DISCONNECT,
> > which connections they correspond to. I assumed that was the purpose of
> > the CT id.
>
> The purpose was to uniquely identify a connection but we currenlty
> assume that the tuple {src, portsrc, dst, portdst, l3protonum, protonum}
> is enough.
>
> > Why are you removing it?
>
> http://lists.netfilter.org/pipermail/netfilter-devel/2005-June/019923.html

-- 
Alan Ezust            www.presinet.com
Presinet, inc         alan.ezust at presinet.com
           Victoria, BC,Canada
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20061109/85baabfd/attachment.pgp


More information about the netfilter mailing list