On Sun, 2005-03-13 at 19:23, Jeff Simmons wrote: > Sorry to bother anyone, but I'm new to iptables, and I'm debugging a working > production machine, so I can't really test things too much. :-( > > Is a connection ONLY added to the state table when the first packet matches a > rule that contains the --state NEW directive, or can it happen in some other > way? connections begin getting added to the conntrack table as soon as the ip_conntrack module is loaded. > When --state INVALID is matched, is it done only on the source and destination > addresses and ports, or is something else also involved? if the tcp_window_tracking patch is applied--sequence and acknowledgment numbers are also examined. > Are NAT 'states' available for examination anywhere, like > /proc/net/ip_conntrack? yes. -j -- "Mr. Simpson, why are you here? Don't say revenge! Don't say revenge! Revenge? That's it! I'm outta here!" --The Simpsons
