Re: Where is conntrack in the iptables chain?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Schaaf <bof@bof.de>
To: Scott MacKay <scottmackay@yahoo.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: Where is conntrack in the iptables chain?
Date: Mon, 25 Aug 2003 13:22:17 +0200	[thread overview]
Message-ID: <20030825112217.GF423@oknodo.bof.de> (raw)
In-Reply-To: <20030825111112.16579.qmail@web13907.mail.yahoo.com>

On Mon, Aug 25, 2003 at 04:11:12AM -0700, Scott MacKay wrote:
> I was wondering, where in the iptables chain does
> conntrack start?  In the segment of the chain, does it
> ack before or after inserted rules (like QUEUE)?

What do you mean with 'does it ack'? conntracking is not supposed
to pass verdicts on a packet, it's just looking up tracking information
for a passing packet.

That connection lookup happens before all other hooks, i.e. before a
packet enters iptables in the mangle table PREROUTING chain. Thus,
even rules in the prerouting chain can already use the tracking
information.

Does that answer your question?

best regards
  Patrick

next prev parent reply	other threads:[~2003-08-25 11:22 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-08-15  9:13 how to clear the conntrack table! Decoy
2003-08-23 21:08 ` Harald Welte
2003-06-27  9:28   ` Flavio Pescuma
2003-08-25 10:14   ` Eicke Friedrich
2003-08-25 10:31     ` Patrick McHardy
2003-08-25 11:11   ` Where is conntrack in the iptables chain? Scott MacKay
2003-08-25 11:22     ` Patrick Schaaf [this message]
2003-08-25 11:29       ` Scott MacKay
2003-08-25 11:43         ` Patrick Schaaf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030825112217.GF423@oknodo.bof.de \
    --to=bof@bof.de \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=scottmackay@yahoo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.