Hi Jan, Jan Engelhardt wrote: > to figure out what Netfilter actually does, we add a rule to match > incoming DNS replies for demonstrational purposes: > > iptables -I INPUT -p udp --sport 53 -m conntrack --ctstate > ESTABLISHED > > as one would expect, ESTABLISHED matches. Now, after the DNS reply has > been received, running `conntrack -L | grep udp` does not show the > string "ESTABLISHED" at all, even if I run it within the UDP conntrack > timeout. Glitch/Bug in /usr/sbin/conntrack? The output is compatible with /proc/net/ip_conntrack which doesn't show the generic states for UDP. Instead, it shows the flag assured when we have seen traffic in both directions. BTW, you can also `use conntrack -L -p udp' to filter so you don't need to use grep for this particular case. -- "Los honestos son inadaptados sociales" -- Les Luthiers - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
