Thank you very much for your replies. I still don't understand one thing though: Let's say I delete a rule that allows SSH traffic. There are probably many entries in the conntrack table for SSH sessions. Will these sessions continue to be allowed in, even though I have just deleted the rule that allowed SSH (and my default policy is DROP)? On Thursday 2008-04-24 21:24, Pascal Hambourg wrote: > noa levy a écrit : >> >> When I add a rule to (or delete a rule from) iptables, >> while it is running, does that have any effect on the states in the >> connection tracking table? > > No. > >> Will the table be flushed? > > No. the conntrack table remains; the fw rule table is atomically exchanged. >> Are states linked to the rule that allowed the initial packet in [....] ? > > No. (No,) but parameters attached to rules may get reset when loading a new ruleset into the kernel. Now what constutitues an "attached" data portion hm... xt_quota for example stores its quota counter with the rule. xt_recent for example on the other hand stores its data in a separate malloc'ed area that is safe. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
