Hello, Jan Engelhardt a écrit : > On Wednesday 2010-07-28 07:24, Mart Frauenlob wrote: >> >> afaik, the (according) ct entries are destroyed on DROP. > > They are not destroyed on DROP, and you can easily check that. Right, the DROP target has no direct effect on conntrack. When a packet belonging to an already existing (confirmed) connection is dropped, the conntrack entry is not destroyed. But IIUC when the first packet that would create a new connection (and a new conntrack entry) is dropped for any reason before it reaches the conntrack confirm in the LOCAL_IN or POST_ROUTING hooks (after INPUT or POSTROUTING chains), the conntrack entry is destroyed, isn't it ? I guess that is what Mart meant. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
