Jan Engelhardt wrote: > > On May 10 2007 07:14, Wakko Warner wrote: > > > >If it were possible that when a rule like that is deleted, all > >active conntrack entries that this rule causes would be removed. > > Problem 1: We would have to record in a ct entry what rule caused > the ct to come alive. What if we have an empty ruleset? Conntracking > still runs even when no iptables rules are in position. I figured something like that would be required. I do realize that conntrack tracks connections regardless of iptable rules. > Problem 2: If I wanted to move a rule inside a chain, > deleting/reinserting it would kill the ct entry and - given some > ruleset* (there are many more that would apply) - stops all > connections immediately. > > -P INPUT DROP > -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT > -A INPUT -m conntrack --ctstate NEW -p tcp --syn -j ACCEPT I understood this before I wrote it. How often does one move things around in their firewall (after their experiemental stage)? -- Lab tests show that use of micro$oft causes cancer in lab animals Got Gas???
