From mboxrd@z Thu Jan  1 00:00:00 1970
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Subject: Re: Nat and firewall holes
Date: Mon, 22 Mar 2010 18:39:47 +0100
Message-ID: <4BA7AB63.6090908@plouf.fr.eu.org>
References: <cfeab66d1003220846h20c255d4u280ada41d2df1a2b@mail.gmail.com>	 <4BA7A4F9.6020001@plouf.fr.eu.org> <cfeab66d1003221027v65611783vf342e3038744a0f6@mail.gmail.com>
Mime-Version: 1.0
Content-Transfer-Encoding: QUOTED-PRINTABLE
Return-path: <netfilter-owner@vger.kernel.org>
In-Reply-To: <cfeab66d1003221027v65611783vf342e3038744a0f6@mail.gmail.com>
Sender: netfilter-owner@vger.kernel.org
List-ID: <netfilter.vger.kernel.org>
Content-Type: text/plain; charset="iso-8859-1"
To: netfilter@vger.kernel.org

ratheesh k a =E9crit :
>> On Mon, Mar 22, 2010 at 10:42 PM, Pascal Hambourg <pascal.mail@plouf=
=2Efr.eu.org> wrote:
>> If a crafted packet matches all the characteristics of the conntrack
>> entry for that connection (including reply source port 80, TCP seque=
nce
>> number), then it will be considered belonging to the reply direction=
 of
>> that connection and the NAT will process it accordingly.
>=20
> i thought ,  only a tuple of ip and port is kept for connection
> tracking ( not tcp sequence )  .

Window and sequence number tracking has been included in TCP connection
tracking since kernel 2.6.9, making out-of-window segments INVALID.