Le mer 07/01/2004 à 12:57, Jozsef Kadlecsik a écrit :
> On Wed, 7 Jan 2004, Eddahbi Karim wrote:
>
> > The connection state change at the nat table of the PREROUTING chain and
> > at the nat table of the OUTPUT chain.
>
> False. Check the source code.
After checking the source code, I can see that the two principals hooks
are on these chain.
/* Connection tracking may drop packets, but never alters them, so
make it the first hook. */
static struct nf_hook_ops ip_conntrack_in_ops = {
.hook = ip_conntrack_in,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_CONNTRACK,
};
static struct nf_hook_ops ip_conntrack_local_out_ops = {
.hook = ip_conntrack_local,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_OUT,
.priority = NF_IP_PRI_CONNTRACK,
};
Now, I can't really bet these hooks are on the nat table but conntrack
and nat are very related.
I get the information here :
http://iptables-tutorial.frozentux.net/chunkyhtml/statemachine.html
There's another explanation here :
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
If I'm wrong, I want to have a proof...
>
> > Btw Iptables for IPv6 doesn't have any conntrack for the moment ;-).
>
> There is an experimental code which you can find in the mailing list
> archives. It's not in p-o-m yet.
>
Ok thanks :),
--
--
Eddahbi Karim
Phone :
(33) (0)6 61 30 57 77
France
