On Wednesday 2010-06-02 22:35, Jeremiah Crockett wrote:
>On Wed, Jun 2, 2010 at 1:27 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote:
>
>>The five --ctstates {NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED}
>>_are mutually exclusive_ to another.
>
>[...] is it possible for a packet not to
>match any of these states?
No.
> An skb will start out zeroed, i.e.
> ...
> Since the logic for xt_conntrack ctstate testing is:
> ...
> Packets basically start without any associated connection, that
> is,
> will be matched by -m conntrack --ctstate INVALID.
>
> When it's nf_conntrack's turn, it may assign something to
> skb->nfct,
> which makes --ctstate NEW match. Or it may not (faulty packet,
> no
> association for ICMP, etc.), skb->nfct* is left as is, in other
> words, it will continue to match --ctstate INVALID.
>
>
>This is perfect, as far as it goes. It seems to me there is a great need
>for someone to continue this,
Well ask more. With a bit of luck enough text will accumulate and
I'll get fired up to put it into book form, just as I did with
the "Writing Netfilter Modules" PDF.
But it needs assistance from novices , because experienced people see
less of a problem that they would consider worth documenting.
>an explanation of the logic, perhaps
>illustrated by code snippets, but not requiring every netfilter user to be
>able to derive it for themself.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
