Re: the impossible "iptables -C" option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2004-07-24 at 05:16, Chris Brenton wrote:

> The problem is a majority of the time check would end up reporting "it
> depends". For example what if you try and check what would happen to "a
> packet coming from the Internet to an internal system from 22/TCP to an
> upper port number, with the ACK flag set and "foo" in the payload. You
> may not have a rule that specifically lets this traffic through, but it
> might actually pass if it ends up being a state match due to an initial
> outbound SYN packets. So how iptables would handle this packet "depends"
> on what traffic went by prior to it.

I'm not sure how that affects the ability to report what it would
do with a packet "right now" and why, or the users need for this
report when trying to debug a problem.  I have a situation where
I can see strange results with tcpdump and would like to know
what combination of rules is causing it.

---
  Les Mikesell
   les@xxxxxxxxxxxxxxxx





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux