(sorry for top posting) Strangely enough, the iptables binary does not complain when I tried: iptables -t raw -A PREROUTING -p icmp -m state --state ESTABLISHED,RELATED -j LOG --log-prefix "RP MATCH:" or replacing LOG with ACCEPT. But checking dmesg shows that the rule is not triggered. Just to be sure, I added the following: iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j LOG --log-prefix "FI MATCH:" and dmesg indeed shows the rule triggering. That said, I've now understood raw & conntrack much better, thanks. Rgds, On 2011-02-12, Steven Kath <steven.kath@xxxxxxxxxx> wrote: > ----- "Pandu Poluan" <pandu@xxxxxxxxxxx> wrote: ----- >> I am wondering if the following rule will work: >> >> iptables -t raw -A PREROUTING -p icmp -m state --state >> RELATED,ESTABLISHED -j ACCEPT >> > > If you look at Jan's Netfilter packet flow diagram, you'll see that the raw > PREROUTING chain is traversed before the conntrack functions are called. > State can not be determined until after the packet is compared to the > conntrack table. The rule you described can't work and I think the iptables > binaries won't allow it to be created. > > http://jengelh.medozas.de/images/nf-packet-flow.png > -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
