> Quite simple. After conntrack has seen the first original packet leave, it > knows what a reply packet should look like when it enters. > Roughly, a packet entering netfilter in the reply direction is the reverse > of a packet leaving netfilter in the original direction. Ah, so are you saying conntrack can simply switch the source information with the destination information of a original direction packet leaving netfilter to get the source/destination information of a packet that is entering netfilter from the reply direction? That makes sense if so! -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
