On Thursday 2008-08-14 16:23, Stephen Isard wrote: > On Thu, 14 Aug 2008, Jan Engelhardt jengelh-at-medozas.de |netfilter| wrote: > >> CUPS does not actually use SNMP, does it? The way I have seen its >> output are regular UDP transmissions from and to port 631, without >> any replies (much like most NBT packets). >> >> -d 192.168.0.255 -p udp --dport 631 > > It does that too, but yes, recent (I'm not sure since when) cups also uses > snmp. The port 631 transmissions are for finding other computers that share > their printers. Snmp is used for finding standalone printers with their own ip > addresses on your local network. Makes sense. It is only natural that the reply packet is not associated with the original connection, because the sender address is not 192.168.0.255. You could write a layer-4 connection tracker that observes packets to 192.168.0.255:631, verifies that they are of SNMP nature (or not verify at all and Just Do It), and then instantiate a new expectation, therefore making replies matching -m conntrack --ctstate RELATED. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
