On May 10 2007 07:14, Wakko Warner wrote: > >If it were possible that when a rule like that is deleted, all >active conntrack entries that this rule causes would be removed. Problem 1: We would have to record in a ct entry what rule caused the ct to come alive. What if we have an empty ruleset? Conntracking still runs even when no iptables rules are in position. Problem 2: If I wanted to move a rule inside a chain, deleting/reinserting it would kill the ct entry and - given some ruleset* (there are many more that would apply) - stops all connections immediately. -P INPUT DROP -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate NEW -p tcp --syn -j ACCEPT Jan --
