On Thu, Mar 28, 2002 at 04:39:51PM +0100, Henrik Nordstrom wrote:
> Thanks. Explains it quite well.
> 
> So there is yet another state table involved here.
> 
> Now I am a little confused. What exacly is it that makes this new state table 
> better suited for the job than conntrack?

because we don't do full TCP tracking, and our NAT is quite limited. (only
DNAT, and only to local IP stack). And in addition entries are not timeouted
from the table.

a new entry is added to this table when 

1) a TPROXY destination is encountered
2) when a socket is 'bound' to a foreign address (either for listening and
   connecting)

an entry is removed from this table when

1) the socket associated with the entry is destroyed (iff a socket is
   associated with an entry)
2) when a TCP rst is returned by the stack (happens only when a socket is
   not yet associated)

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1

Reply via email to