On Wed, Jun 2, 2010 at 2:35 PM, Jeremiah Crockett <jrmhcrcktt@xxxxxxxxx> wrote: > On Wed, Jun 2, 2010 at 1:27 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: >> . The five >> --ctstates {NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED} _are >> mutually exclusive_ to another. > > Are they all inclusive, i.e., is it possible for a packet not to match any > of these states? Or do packets "fall-through" into UNTRACKED if nothing > else matches? I believe that the default is INVALID, not UNTRACKED. From my limited understanding, UNTRACKED is used for traffic that was sent to the NOTRACK target. On Wed, Jun 2, 2010 at 1:27 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > Packets basically start without any associated connection, that is, > will be matched by -m conntrack --ctstate INVALID. Thanks Jan. So two important points that I gleaned from your post are (1) the states are mutually exclusive and (2) all packets start with a default of INVALID. This seems to get a bit murkier as some conditions that match INVALID, including invalid combinations of TCP flags, seem to be an "active match" instead of a "passive default." In other words, if the state starts as INVALID, and conntrack determines that it should be state NEW, something somehow must be applied afterwards to force it back to INVALID due to it being a malformed packet. How does that "something" fit in with this chain of events, and what does it check for? Alternately, do the checks for placing a packet into the other states check for malformed packets, in which case no second check for malformed packets needs to be done because anything that moves from INVALID is already known to be well-formed? I think part of the confusion stems from this: Based on my reading of the admittedly suboptimal documentation, there are two ways that packets can be marked INVALID: The packet is not part of any connection marked NEW, RELATED, ESTABLISHED, or UNTRACKED. The packet is malformed or otherwise problematic. The first is determined in the context of the conntrack system, and takes into consideration conntrack's knowledge of the state of the network and the connections therein. The second treats packets in a vacuum and evaluates parts of the packet against other parts to determine its consistency. It's likely that my confusion stems from a still-incomplete knowledge of how packets traverse the different parts of netfilter and xtables. Thanks again, everyone! --Mike -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html