Re: Dynamically adding rules - are connection tracking states maintained?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 2008-04-24 21:24, Pascal Hambourg wrote:
> noa levy a écrit :
>> 
>> When I add a rule to (or delete a rule from) iptables,
>> while it is running, does that have any effect on the states in the
>> connection tracking table?
>
> No.
>
>> Will the table be flushed?
>
> No.

the conntrack table remains;
the fw rule table is atomically exchanged.

>> Are states linked  to the rule that allowed the initial packet in [...] ?
>
> No.

(No,) but parameters attached to rules may get reset when loading a
new ruleset into the kernel. Now what constutitues an "attached" data
portion hm... xt_quota for example stores its quota counter with the
rule. xt_recent for example on the other hand stores its data in a
separate malloc'ed area that is safe.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux