Re: connection tracking query

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Dhiraj,

Since I wrote it.. I may as well answer it as well;). 

What I (think) I actually wrote, is this. At the PREROUTING chain all of
the actual state changes and state calculations are done. This
"material" can then be used to match packets based on their states, but
the actual states have already been calculated properly before the
PREROUTING chain already.

The actual work surrounding the connection tracking, is hence done
before the PREROUTING chain, so that we have the ability to do stateful
matching.

Hmmm.. I hope you understand what I am saying, this explanation got more
complex than the actual process is=).

As for your second question, yes, the packet _must_ go through the
filter table again. The only tables skipped, if the packet is considered
not NEW, is the nat and mangle table. 

//Oskar Andreasson

On Mon, 2003-04-07 at 11:02, dhiraj.2.bhuyan@xxxxxx wrote:
> 1. I was reading the Iptables tutorial by Oskar Andreasson
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html.
> It says that connection tracking in done in the PREROUTING chain or OUTPUT
> chain (for locally generated packets). If connection tracking is done only
> at these two chains, what happens to the packets that don't belong to an
> already established connection? I understand that it will have to go through
> the filter rules - before the state table is updated for a NEW/RELATED
> connection. If that is the case, "conntrack" must be taking place at other
> chains too (where the filter is applied). The following document
> http://www.knowplace.org/netfilter/syntax.html does infact say that
> "conntrack" is happening not only in the PREROUTING and the OUTPUT chain,
> but also in INPUT and POSTROUTING chain. What I find strange with this is
> that for a packet that goes through the "FORWARD" chain, "conntrack" is done
> twice on the same packet - first in the "PREROUTING" chain and second in the
> "POSTROUTING" chain. Does anyone have any explanation for this?
> 
> 
> 2. If a packet is found to belong to an already ESTABLISHED connection, does
> it still have to go through the filter rules again?
> 
> 
> Thanks,
> dhiraj
> 
>
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux