Ethy H. Brito a écrit : > >> If you don't want this to happen, just DROP all FORWARDed traffic until >> the SNAT rule is active. > > <side comment> > Hmmm! I am looking to Jan Engelhardt's Packet Flow picture (2014-Feb-28) and > can not find conntrack in the output path for forwarded packets. I think we > found a glitch in his drawing. Does he read this list? > </side comment> The conntrack for forwarded packets is in the PREROUTING path. > Nope. I think this is not a ultimate solution because packets still may flow > before FORWARD DROP rule is in place. Your suggestion does not kill the race > condition. Well, that's because I put filtering rules in place with default DROP before enabling the network for obvious safety reasons, and assumed everyone did the same. > This is what I see, please correct me if I'm wrong: > 1) IP stack is in place during boot > 2) network parameters are configured (ip addrs, routes, etc) > 3) nf modules are loaded (/etc/modules.d??) > 4) conntrack modules are loaded (also /etc/modules.d) > 5) user scripts are loaded (iptables snat or FORWARD rules included) The order is sysadmin-dependent. You decide. My iptables initscript is run before the network is configured and activated. > I need to ensure no packet cross at least before conntrack is loaded Not necessarily. You're also safe if any forwarded packet is dropped (or forwarding is disabled) until the SNAT rule is in place. The packets will be discarded and the conntrack entry will be destroyed immediately. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
