conntrack -E -i not allowed?

Pablo Neira Ayuso pablo at netfilter.org
Thu Nov 9 18:10:05 CET 2006


Alan Ezust wrote:
> Thanks for the reply. Ok, I can see how I can generate some IDs, but I first 
> want to make sure i have all of the information I need.
> 
> When I run conntrack, I only see one protocol number. I think it is a layer4 
> protocol (tcp vs udp). If I'm not seeing an l3proto in my output, why might 
> that be?
> 
> udp      17 12 src=10.10.201.2 dst=204.174.64.1 sport=54475 dport=53 
> src=204.174.64.1 dst=209.53.156.2 sport=53 dport=54475 use=1 mark=0
> tcp      6 420332 ESTABLISHED src=10.10.100.3 dst=10.10.1.22 sport=1356 
> dport=5432 src=10.10.1.22 dst=10.10.100.3 sport=5432 dport=1356 [ASSURED] 
> use=1 mark=0

Are you using nf_conntrack? If so, l3protonum is not shown yet but it
would not be hard to cook a patch to show it. I'll introduce this change
in the new libnetfilter_conntrack API.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris



More information about the netfilter mailing list