On Thu, Mar 28, 2002 at 04:39:51PM +0100, Henrik Nordstrom wrote: > Thanks. Explains it quite well. > > So there is yet another state table involved here. > > Now I am a little confused. What exacly is it that makes this new state table > better suited for the job than conntrack?
because we don't do full TCP tracking, and our NAT is quite limited. (only DNAT, and only to local IP stack). And in addition entries are not timeouted from the table. a new entry is added to this table when 1) a TPROXY destination is encountered 2) when a socket is 'bound' to a foreign address (either for listening and connecting) an entry is removed from this table when 1) the socket associated with the entry is destroyed (iff a socket is associated with an entry) 2) when a TCP rst is returned by the stack (happens only when a socket is not yet associated) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1