Hi, 2004-06-04, p keltezéssel 13:15-kor Markus Schaefer ezt írta: > Short questions for the impatient: > - Why is netfilter using a port for NATing, > even though the very same port is reserved > by the router device though a listening socket, > (but "free" from view of conntrack table.) Because it wouldn't be a trivial task to assign every new connection to an opened socket. Netfilter conntrack and NAT works strictly _below_ the IP layer, where these kind of lookups are not yet done. > - I need a way to reserve a certain touple in > the conntrack table. Or > - prevent a fixed touple from being used. > (I know, it sounds strange but i need it :) Although I don't know of an existing iptables-level solution, I've implemented the nat-reservations patch (it's in POM-NG) exactly because of the same problems. However, this is only a low-level (in-kernel, only for Netfilter extensions) interface for reserving tuples, you cannot use that directly from iptables. And yes, I agree, sometimes it would be useful to define such reserved tuples in your ruleset. -- Regards, Krisztian KOVACS
