[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection survives reboot of stateful iptables router

On Tue, 4 Jul 2006, martin f krafft wrote:

> also sprach Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> [2006.07.04.1130 +0200]:
> > > is the same, meaning that the INVALID state matches all non-SYN
> > > packets at this point.
> >
> > That's plain false: the INVALID state does not match all non-SYN packets
> > at that point. It's nowhere written or stated in any decent documentation.
>
> Let me get this straight:
>
>   http://www.faqs.org/docs/iptables/userlandstates.html
>
>     The INVALID state means that the packet can not be identified or
>     that it does not have any state.
>
> From what I was told, a packet that is not ESTABLISHED or RELATED,
> but does not have the SYN bit set cannot be identified and thus has
> no state.

That is false, because from connection tracking point of view a plain ACK
packet which does not belong to any existing connections has got a state,
which is NEW. That is why connection pickup can work.

> I seem to recall it was actually an iptables developer who told me that
> INVALID = ALL - (ESTABLISHED + RELATED + NEW).

And that is correct.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
Reply to: