Le 27/09/2017 à 09:52, Will Sewell a écrit :
The connection tracking system stores one hash tuple of layer 3/4 information for each packet's original direction, and one for the reply direction. The are embedded in the conntrack struct which stores the actual connection state. I'm curious why this is.
Because conntrack has to process packets in both directions, and the packet header fields in the reply direction may not be obtained just by swapping the fields in the original direction.
A few examples : - DNAT : original destination address/port != reply source address/port - SNAT : original source address/port != reply destination address/port - ICMP echo/reply : original type/code 8/0 != reply type/code 8/0 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
