On Sat, 2004-07-24 at 03:56, Antony Stone wrote: > > I understand it to mean "check what would happen to a packet of this type if > it went through the ruleset" Yup, that's what it did under ipchains. :) > > What is "packet payload"? How does it make the "--check" option impossible > > to be implemented? > > It makes it impossible to implement --check because there's no way to provide > the payload on the command line. Not quite true as you would just use a sting match, same as you would in a filtering rule. The problem is a majority of the time check would end up reporting "it depends". For example what if you try and check what would happen to "a packet coming from the Internet to an internal system from 22/TCP to an upper port number, with the ACK flag set and "foo" in the payload. You may not have a rule that specifically lets this traffic through, but it might actually pass if it ends up being a state match due to an initial outbound SYN packets. So how iptables would handle this packet "depends" on what traffic went by prior to it. The check option has said it would be implemented "real soon now" since iptables was alpha code. I'm guessing the option will never happen. Its just a carry over from ipchains. ;-) HTH, C
