On Thursday 2011-01-20 23:47, Richard Weinberger wrote: >Hi, > >as a firewall admin I would like to see which rules allow >the connections through my firewall. >A relationship between conntrack and firewall rules would be nice. >The next five patches bring this feature to the Linux Netfilter. > >First a small example. >Consider this iptables rules: >-A INPUT -m state --state ESTABLISHED,RELATED -j APPROVE --rule-id 1 >-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j APPROVE --rule-id 2 >-A INPUT -p tcp --dport 22 -m state --state NEW -j APPROVE --rule-id 3 >-A INPUT -p icmp -m state --state NEW -j APPROVE --rule-id 4 > >The APPROVE target is the same as ACCEPT but it stores also a rule id into >the connection tracking entry. What about connmark? You could have used that. Perhaps combined with the use of -j TRACE that can show which rules were processed before a verdict was issued. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
