On Tuesday 01 April 2003 08:18 pm, SB CH wrote: > Hello, all. > > connection tracking(stateful inspection) has a relation with this > menu(make config)? > > "Connection tracking match support" > > But when I deselect this menu, I can use connection tracking like > NEW,ESTABLISHED,RELATED etc. > I think that only "Connection state match support" menu is required to > use this function. > > then what is the function and meaning of the "Connection tracking > match support"? As I just found out (Thanks Martin Josefsson!) there is available a conntrack match. It lets you match more than the three conntrack states you mentioned - you can match conntrack status like ASSURED, SEEN_REPLY, etc, as well as 'states' SNAT and DNAT (matches packets which have been SNATted or DNATted) and also match the original pre-SNAT/pre-DNAT IPs. http://netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.3 j
