[Bug 1497] New: conntrack manpage mentions confirmation point at the postrouting hook, does not explain path packet takes

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Feb 9 13:48:02 CET 2021 

https://bugzilla.netfilter.org/show_bug.cgi?id=1497

            Bug ID: 1497
           Summary: conntrack manpage mentions confirmation point at the
                    postrouting hook, does not explain path packet takes
           Product: conntrack-tools
           Version: unspecified
          Hardware: x86_64
                OS: Gentoo
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: conntrack
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: mhoermann at gmail.com

In the description of the unconfirmed table the conntrack(8) manpage mentions

       unconfirmed:
              This table shows new entries, that are not yet inserted into the
conntrack table. These entries are attached to packets that are traversing the
stack, but did not reach the  confirmation  point
              at the postrouting hook.

It would be very useful to have a paragraph or two in general in the manpage
explaining at which points in the packet's traversal of the kernel network code
the conntrack code does something actively, particularly in relation to the
iptables tables and chains (and possible nft equivalents of course, I don't
know nft yet).

>From a lot of guesswork it seems any mention of -m conntrack or -j CT in
iptables rules enables connection tracking of any packets, whether they
traverse that chain or not?

Then my guess would be that the postrouting hook mentioned here is after the
nat tables' POSTROUTING chain and not the mangle table's one?

It might also be useful to clarify in the iptables(8) manpage in which order
those two are actually processed relative to one another as they both mention
"altering packets as they are about to go out".

It would also be useful to know under which circumstances something is inserted
in that unconfirmed table and when (e.g. before raw PREROUTING/OUTPUT?, only
for new connections or for all packets?...).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210209/15350099/attachment.html>

More information about the netfilter-buglog mailing list