On Sunday 2008-10-05 04:51, Christoph Paasch wrote: >Hello, > >> >> Read the really-really-really-nice manpage (which has gotten so much care >> from me). I mean, hey, it's directly below --ctstate! :-) >> >> [!] --ctproto l4proto >> Layer-4 protocol to match (by number or name) > >Hmm... so, you mean that the established connection doesn't makes >the difference between the different protocols, as long as those >aren't specified with "--ctproto". Correct, -m conntrack is naturally protocol-independent. You can use either -p tcp or --ctproto tcp to check for protocol-specific parts. Note that -p and --ctproto have different meaning, but I have yet to see a connection tracker that puts, say, non-tcp packets into a tcp connection. >So, if I got an established TCP-connection, I can do run any other protocol >(UDP, ... and in particular shim6 ;-) in any direction. And also on any port >number? You will never see the SHIM layer if you are doing filtering at layer-3 (which is what ip6tables does). >Sorry, but I think, that it's not clear, what is stored in the state, of a >connection, if the iptables rule doesn't specifies the protocol, portnumber, connection = (srcip, dstip, l4stuff) l4stuff#tcp= (srcport, dstport) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
