On Tue, 4 Jul 2006, martin f krafft wrote: > also sprach Jozsef Kadlecsik <[EMAIL PROTECTED]> [2006.07.04.1130 +0200]: > > > is the same, meaning that the INVALID state matches all non-SYN > > > packets at this point. > > > > That's plain false: the INVALID state does not match all non-SYN packets > > at that point. It's nowhere written or stated in any decent documentation. > > Let me get this straight: > > http://www.faqs.org/docs/iptables/userlandstates.html > > The INVALID state means that the packet can not be identified or > that it does not have any state. > > From what I was told, a packet that is not ESTABLISHED or RELATED, > but does not have the SYN bit set cannot be identified and thus has > no state.
That is false, because from connection tracking point of view a plain ACK packet which does not belong to any existing connections has got a state, which is NEW. That is why connection pickup can work. > I seem to recall it was actually an iptables developer who told me that > INVALID = ALL - (ESTABLISHED + RELATED + NEW). And that is correct. Best regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]