Casual technical question about /etc/services

Tarek W. mailinglists1 at hotpop.com
Mon Mar 29 17:45:15 PST 2004


On Thu, 2004-03-25 at 20:46, Dagmar d'Surreal wrote: [snipped]
> Actually, I've just been assuming that because it "just works" over
> here, but I'm still in the dark about one thing... Is it /necessary/ to
> have the state matching module invoked on the OUTPUT chain in a manner
> that causes it to "become aware of" the outgoing UDP packets so that it
> can match ESTABLISHED,RELATED for the return packets, or it this just a
> fixed overhead "cost" on all traffic from loading the state matching
> module?  I haven't seen this issue explicitly documented yet, and I've
> been looking.

a couple of points u should be aware of:

1) state matching is only possible with the help of ip_conntrack

2) ip_conntrack is either loaded by explicitely using "-m state" in an
iptables rule or by manually loading it

3) if ip_conntrack is loaded, it tracks all packets in the *hooks*
PRE_ROUTING and LOCAL_OUT to "mark" entries with connection states

however, there exists a patch in patch-o-matic-ng which adds a raw table
and a NOTRACK target. u might want to investigate that for whatever
purpose ur asking this.




More information about the hlfs-dev mailing list