1 The following flags describe the state of the tracking: 2 0x01: new 3 This is the beginning of a new connection. This flag may 4 only be present for uncommitted connections. 5 6 0x02: est 7 This is part of an already existing connection. This flag 8 may only be present for committed connections. 9 10 0x04: rel 11 This is a connection that is related to an existing con‐ 12 nection, for instance ICMP "destination unreachable" mes‐ 13 sages or FTP data connections. This flag may only be 14 present for committed connections. 15 16 0x08: rpl 17 The flow is in the reply direction, meaning it did not 18 initiate the connection. This flag may only be present 19 for committed connections. 20 21 0x10: inv 22 The state is invalid, meaning that the connection tracker 23 couldn‘t identify the connection. This flag is a catch- 24 all for any problems that the connection tracker may 25 have, for example: 26 27 - L3/L4 protocol handler is not loaded/unavailable. With 28 the Linux kernel datapath, this may mean that the 29 "nf_conntrack_ipv4" or "nf_conntrack_ipv6" modules are 30 not loaded. 31 32 - L3/L4 protocol handler determines that the packet is 33 malformed. 34 35 - Packets are unexpected length for protocol. 36 37 0x20: trk 38 This packet is tracked, meaning that it has previously 39 traversed the connection tracker. If this flag is not 40 set, then no other flags will be set. If this flag is 41 set, then the packet is tracked and other flags may also 42 be set. 43 44 0x40: snat 45 This packet was transformed by source address/port trans‐ 46 lation by a preceding ct action. 47 48 0x80: dnat 49 This packet was transformed by destination address/port 50 translation by a preceding ct action 51 52 Connection State Machine : http://www.iptables.info/en/connection-state.html
时间: 2024-12-17 17:31:35