Hello, Christoph Anton Mitterer a écrit : > > 1) If I disable conntracking for packets using NOTRACK in raw what > happens if I e.g. match the state later in filter? Does the rule > simply not match for such packets or is it INVALID? Packets processed with the NOTRACK target have the UNTRACKED state. > 2) The addrtype module provides several address types. Where can I > find which addreses are _exactly_ matched by a given type for a given > protocol (especially IP4/6). > I'm especiylly (but not only) interested in what LOCAL actually means? > Is it all addresses of a hosts network interfaces PLUS the ALL > addresses on that networks (like a "localnets")? > Or is it all the addresses which the kernel thinks the host has itself, e.g. The latter, I guess. > 3) --fragment > a) It's quite clear what happens if one uses "-f" or "! -f" but what > happens if neither of the tow is give? Does it mean "! -f" or is it > like "match not fragmented packets AND fragmented packets (both the > first AND further fragments). The latter, obviously. All packets are matched regardless of fragmentation. > b) Is it true, that when conntracking is used, that packets are > automatically defragmented so one doesn't have to care on fragments at > all? For IPv4, indeed when conntrack is enabled incoming fragmented datagrams are reassembled before the PREROUTING chains. Note that packets which are to be delivered locally are reassembled by the stack (not by conntrack) before the INPUT chains anyway, so you never see fragments in INPUT chains. AFAIK things work a bit differently for IPv6 : fragmented datagrams are "virtually" reassembled for conntrack (the reason being that an IPv6 router does not handle fragmentation/reassembly), but continue to exist as fragments through the ip6tables chains and the IPv6 stack. > In that case, what happens to packets for which conntracking was > disabled (NOTRACK in raw)? Are they also defragmented or not? Good question. I have no answer. This requires some code reading or a bit of testing. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
