On Saturday 24 July 2004 12:24 am, Bruno Negrão wrote:
> Hi guys, I didn't understand the following question and answer on
> netfilter's faq:
>
> "3.18 Why isn't the 'iptables -C' (--check) option implemented?
>
> Well, first of all, we're lazy ;). To be honest, implementing a check
> option is almost impossible as soon as you start to do stateful
> firewalling. Traditional stateless firewalling bases it's decision just on
> information present in the packets header. But with connection tracking
> (and '-m state' based rules), the outcome of the filtering decision depends
> on header+payload, as well as header+payload of previous packets within
> this connection."
>
> First of all, what does they mean about "--check"? What would they check?
I understand it to mean "check what would happen to a packet of this type if
it went through the ruleset"
ie: iptables -C INPUT -p tcp --dport 22
Would tell you whether your firewall would accept (to itself) an SSH packet or
not.
> What is "packet payload"? How does it make the "--check" option impossible
> to be implemented?
Payload is the data inside the packet (the useful bit beyond the IP / TCP /
UDP etc headers).
It makes it impossible to implement --check because there's no way to provide
the payload on the command line.
Regards,
Antony.
--
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.
Please reply to the list;
please don't CC me.
