On Tue, 21 Nov 2006, Bob Beers wrote:
<after a little googling ...> I guess you mean this: <http://www.netfilter.org/projects/conntrack/index.html> and/or this: <http://www.netfilter.org/projects/libnetfilter_conntrack/index.html>
Yep.
But, I wonder, is there a shortcut to the behavior I want through iptables --ctstatus and friends?
Not really. Even if you match the packet with --ctstate, I don't believe there is any iptables target that would delete the connection of the current packet (and presumably drop the packet?). Even if you could, you'd still have to wait for the next packet to come along and set up a new connection entry, so there's no advantage over deleting the connection with a userspace tool, and it would be a terrible hack.
Alexey _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
