UDP entries do not list ctstate

UDP entries do not list ctstate

[Jan Engelhardt]

Hi,


to figure out what Netfilter actually does, we add a rule to match 
incoming DNS replies for demonstrational purposes:

	iptables -I INPUT -p udp --sport 53 -m conntrack --ctstate 
	ESTABLISHED

as one would expect, ESTABLISHED matches. Now, after the DNS reply has 
been received, running `conntrack -L | grep udp` does not show the 
string "ESTABLISHED" at all, even if I run it within the UDP conntrack 
timeout. Glitch/Bug in /usr/sbin/conntrack?

Re: UDP entries do not list ctstate

[Pablo Neira Ayuso]

Hi Jan,

Jan Engelhardt wrote:
> to figure out what Netfilter actually does, we add a rule to match 
> incoming DNS replies for demonstrational purposes:
> 
> 	iptables -I INPUT -p udp --sport 53 -m conntrack --ctstate 
> 	ESTABLISHED
> 
> as one would expect, ESTABLISHED matches. Now, after the DNS reply has 
> been received, running `conntrack -L | grep udp` does not show the 
> string "ESTABLISHED" at all, even if I run it within the UDP conntrack 
> timeout. Glitch/Bug in /usr/sbin/conntrack?

The output is compatible with /proc/net/ip_conntrack which doesn't show
the generic states for UDP. Instead, it shows the flag assured when we
have seen traffic in both directions.

BTW, you can also `use conntrack -L -p udp' to filter so you don't need
to use grep for this particular case.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers