On Jan 20 2008 14:15, Patrick McHardy wrote: >> >> > I also don't think the protocol >> > check is very useful in this case since all conntrack entries contain >> > port numbers or something similar. >> >> Is IPv4-in-IPv4 or IPv6-in-IPv4 conntracked like UDP is? > > Sure, by proto_generic, which uses 0 for the port numbers. See, that's another case why we have to explicitly list the protocols. Just consider a stupid invocation of iptables: -m conntrack --ctorigport 0 I'd rather not let that match IPv4-in-IPv4 or so. >> The protocol check is important though, because IPPROTO_GRE is >> _not_ included, since, it's not something that has a port. > > It has the keys, which are also just a numerical value. Don't > think of it as ports but as "layer 4 protocol keys". > But do these keys actually get modified in NAT? - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
