On Tuesday 2009-02-10 10:06, Christoph Paasch wrote:
>On Tue February 10 2009, Husnu Demir wrote:
>>
>> I forgat to add that support :) But xt_state should not be seen if
>> nf_conntrack_ipv4 is not selected on the kernel config. It is useless
>> without nf_conntrack_ipv4 support.
>
>Well, xt_state doesn't depends on nf_conntrack_ipv4, it can also be use
>nf_conntrack_ipv6 or any other module you write yourself. The thing is that
>without nf_conntrack_ipv4 (or *_ipv6), it uses nf_conntrack_l3proto_generic,
>which won't be tracked, because get_l4proto(...) returns -NF_ACCEPT.
It [Xtables kernel code] will not use l3proto_generic, because
if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
printk(KERN_WARNING "can't load conntrack support for "
"proto=%u\n", par->match->family);
return false;
}
already catches the "mistake" (of having forgotten to build the
_ipv4/_ipv6 module), and returns EINVAL to userspace.
In other words: always look into dmesg for messages!
Only nf_conntrack will use l3proto_generic, but nf_conntrack is
independent of Xtables ;-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
