[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Connection states information tables

On Tue, 14 Sep 2004, Lorenzo Rossi wrote:

>  i have a question concerning the tables where are maintained the
>  informations about the connections state.
>  I configured my firewall script with the following lines, to permit the
>  SSH traffic originated from the protected zone to go to Internet.
>
>  iptables -A TCP_IN -i $INTERFACE -p tcp --sport 22 -m state --state
>  ESTABLISHED -J ACCEPT
>
>  iptables -A TCP_OUT -o $INTERFACE -p tcp --dport 22 -m state --state
>  NEW,ESTABLISHED -j ACCEPT
>
> The custom chain TCP_IN is listed in the default INPUT chain.
> The custom chain TCP_OUT is listed in the dafault OUTPUT chain.
> The dafault policy for the INPUT and OUTPUT chains, as you can imagine,
> is to DROP.
>
>  My question is:
>  How many state tables are used? one table for each main chain?
>  One for INPUT and one for OUTPUT?

A single hash and not a table contains the connections. When you load in
the ip_conntrack module or it is started by the non-modular kernel, the
maximal number of connections which can be stored in the hash is logged:

% dmesg | grep ip_conntrack

or

# grep ip_conntrack /var/log/kern.log

kernel: ip_conntrack version 2.1 (2043 buckets, 16344 max) - 320 bytes per conntrack
                                                ^^^^^^^^^
Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
Reply to: