On Wednesday 2010-07-28 15:30, Pascal Hambourg wrote: >Jan Engelhardt a écrit : >> On Wednesday 2010-07-28 07:24, Mart Frauenlob wrote: >>> >>> afaik, the (according) ct entries are destroyed on DROP. >> >> They are not destroyed on DROP, and you can easily check that. > >Right, the DROP target has no direct effect on conntrack. When a >packet belonging to an already existing (confirmed) connection is >dropped, the conntrack entry is not destroyed. But IIUC when the >first packet that would create a new connection (and a new conntrack >entry) is dropped for any reason before it reaches the conntrack >confirm Think. -m conntrack --ctstate NEW would not work if the ct only sprung into existence once it is confirmed. The ct is created about before you enter the mangle-PREROUTING chain. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
