> I don't know the detail of conntrack data structures, but conntrack watches > packets in two places : > - when the packet enters netfilter (PREROUTING or OUTPUT) > - when the packet leaves netfilter (POSTROUTING or INPUT) Ah, I think my confusion came from the meaning of the "original" and "reply" directions. I had assumed original packets were those packets entering Netfilter from the outside network, and reply packets entering Netfilter from the local machine and which are sent externally. It sounds like you're saying original packets are what what enters Netfiler, and reply packets are those which leave Netfilter (after potentially being transformed) and are propagated up the networking stack. In which case my previous goes away because conntrack can hold a reference to the connection to the conntrack struct while the packet is passing through Netfilter. Thank you, Will -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
