Jan Engelhardt a écrit : > On Wednesday 2010-07-28 15:30, Pascal Hambourg wrote: >> >> Right, the DROP target has no direct effect on conntrack. When a >> packet belonging to an already existing (confirmed) connection is >> dropped, the conntrack entry is not destroyed. But IIUC when the >> first packet that would create a new connection (and a new conntrack >> entry) is dropped for any reason before it reaches the conntrack >> confirm in the LOCAL_IN or POST_ROUTING >> hooks (after INPUT or POSTROUTING chains), the conntrack >> entry is destroyed, isn't it ? > Think. -m conntrack --ctstate NEW would not work if the ct only > sprung into existence once it is confirmed. > The ct is created about before you enter the mangle-PREROUTING chain. Did I wrote otherwise ? I wrote that the new conntrack entry created by a packet is destroyed if if that packet does not reach contrack confirm, so I believe it implies that it was created first. You can't destroy something that does not exist, right ? 1. Packet is seen by conntrack in PRE_ROUTING/LOCAL_OUT -> create conntrack entry. 2. Packet is seen again by conntrack in LOCAL_IN/POST_ROUTING -> confirm conntrack entry, otherwise delete it. Am I correct ? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
