Netfilter: Rule matching questions

Discussion in 'Linux Networking' started by Avi .L., Jun 26, 2003.

  1. Avi .L.

    Avi .L. Guest

    Netfilter supports connection tracking and stateful inspection giving
    us the ability to match a packet with a session.

    I have questions regarding to iptables rules matching and connection
    tracking mechanism.

    Assuming I configured an iptable rule which MARK packets going to port
    80 with a certain value:

    1. Is it true that the rule matching is done per packet and not per
    session ?
    (If we know for a certain packet in a session its port then we know it
    for the rest of the session packets, so it is enough to do it on the
    first session's packet).

    2. Is it true that iptables rules which specifies port numbers don't
    use the stateful support ? (for example, if I configured a MARK rule
    on a packet going to/ from port 20 (ftp-data) why shouldn't it apply
    also on RELATED sessions which were opened using the passive mode).

    Assuming I configured a NAT rule :

    1. Is it true that for NAT rule matching is done on a per session base
    ?
    (I think I read that there is a cache for NAT decisions on a per
    session base)
     
    Avi .L., Jun 26, 2003
    #1
    1. Advertisements

  2. Dans sa prose, Avi .L. nous ecrivait :
    It is.
    However, you have connmark match and CONNMARK target that allows session
    marking.
    Using CONNMARK you do, not if MARK is used.
    Yes it is. See CONNMARK.
    Yop.
    Only NEW packets are going through nat table. Following packets
    (ESTABLISHED or RELATED ones) are handled by conntrack engine just before.
    Not really.
    As conntrack is prior to any table, further packets are direclty
    identified as belonging to a NAT session. For this session is fully
    described within conntrack entry, Netfilter does not need the packet to
    cross nat table to handle it properly.
     
    Cedric Blancher, Jun 26, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.