when packet comes into PREROUTING HOOK
, at the first conntrack module handle it.
At this point, ip_conntrack_in() function handle it , finding protocol
, finding former relative connection in conntrack hash table using
resolve_normal_ct() function.
What I ask like this
2002-05-17 16:18:38-0500, Glover George [EMAIL PROTECTED] -
I've asked this question before, but never received any
response, so
forgive me for asking again.
I was just looking through some things, and what I want to do has an
option to do it in iptables 1.2.4,
And that option is
sorry to ask this question again.this is a problem
when we use linux2.4 as our firewall. our network is
as the graph blow,we have about 500 users.
hostA--switchA---Central Switch---firewall--router
||
||
2002-05-20 22:13:24+0800, zheng chuanbo [EMAIL PROTECTED] -
sorry to ask this question again.this is a problem
when we use linux2.4 as our firewall. our network is
as the graph blow,we have about 500 users.
hostA--switchA---Central Switch---firewall--router
|
Quite likely a duplex negotiation problem. Check the duplex setting
of the port where the firewall is connected, and the settings to the
NIC driver on your Linux box.
Having the switch configured for 100 Mbps full duplex rather than
auto is recommended. Not all switches and drivers agree on
On Monday 20 May 2002 16:02, Glover George wrote:
True, but I'm talking about only the INPUT, FORWARD, and OUTPUT
chains. Why would you need test data? There should be a way to
actually insert a packet into the real chains and see if it comes
out (some sort of hook to see if it's a test
How I do it is that I have a piece of software that generates my
entire ruleset according to set criteria. Everytime there is a
change the entire ruleset is regenerated and then installed by
iptables-restore in one atomic operation (well, one atomic operation
per table.. would be nice if
