Le 27/09/2017 à 10:20, Pascal Hambourg a écrit :
Le 27/09/2017 à 09:52, Will Sewell a écrit >>
The connection tracking system stores one hash tuple of layer 3/4
information for each packet's original direction, and one for the
reply direction. The are embedded in the conntrack struct which stores
the actual connection state.
I'm curious why this is.
Because conntrack has to process packets in both directions, and the
packet header fields in the reply direction may not be obtained just by
swapping the fields in the original direction.
A few examples :
- DNAT : original destination address/port != reply source address/port
- SNAT : original source address/port != reply destination address/port
- ICMP echo/reply : original type/code 8/0 != reply type/code 8/0
Oops, I meant to wrote :
- ICMP echo request/reply : original type/code 8/0 != reply type/code 0/0
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
