>On Thu, Apr 29, 2010 at 6:07 PM, <billprozac@xxxxxxxxx> wrote:
> The echo-reply does not.
Is icmp different from other protocol packets ?
My understanding is : - { In a router } whenever a packet hits
PREROUTING chain , a tuple is created and state is made NEW by
conntrack module . When the packet goes out of POSTROUTING chain,
install original and reply direction tuples in hash table . When
reply packet comes back and hits PREROTUING chain , state is made
ESTABLISHED .
So , in icmp , whenever request goes out itself , state will be made
ESTABLISHED ???
Thanks,
Ratheesh
On Thu, Apr 29, 2010 at 6:07 PM, <billprozac@xxxxxxxxx> wrote:
> The echo-reply does not.
>
> On Apr 29, 2010 2:25am, ratheesh k <ratheesh.ksz@xxxxxxxxx> wrote:
>> >>the outgoing echo-reply matches to it and thus does
>>
>> > not show up in nat OUTPUT/POSTROUTING.
>>
>>
>>
>> Does echo reply will show up in nat PREROUTING chain ?
>>
>>
>>
>> Thanks,
>>
>> Ratheesh
>>
>>
>>
>> On Thu, Apr 29, 2010 at 2:25 AM, Sven-Haegar Koch haegar@xxxxxxxxx> wrote:
>>
>> > On Wed, 28 Apr 2010, Bill Prochazka wrote:
>>
>> >
>>
>> >> A more simple example is that ICMP echo requests
>>
>> >> go out the nat table's output chain, but ICMP echo replies do not.
>>
>> >
>>
>> > The incoming ICMP echo-request (should be visible in PREROUTING) sets up
>>
>> > a conntrack entry, the outgoing echo-reply matches to it and thus does
>>
>> > not show up in nat OUTPUT/POSTROUTING.
>>
>> >
>>
>> > c'ya
>>
>> > sven-haegar
>>
>> >
>>
>> > --
>>
>> > Three may keep a secret, if two of them are dead.
>>
>> > - Ben F.
>>
>> > --
>>
>> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>
>> > the body of a message to majordomo@xxxxxxxxxxxxxxx
>>
>> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>> >
>>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
