1Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2Status: Testing. 3 4This patch adds a new table called 'raw' with two new targets 5'NOTRACK' and 'TRACE' to netfilter/iptables (plus some modifications). 6 7The raw table is the very first in netfilter (it even precedes 8the conntrack subsystem) and uses the PREROUTING and OUTPUT 9built-in chains. 10 11The TRACE target can be used to trace how the packet "flows trough" 12your tables and rules. When a packet marked with the TRACE target 13matches any rule, the system logs the packet with the following 14prefix: 15 16 TRACE: tablename/chainname/rulenum packet 17 18The internal logging functionality relies on the available 19"backend" logging modules (ipt_LOG or ipt_ULOG). You must load 20at least one of the logging modules in. If both modules are 21loaded, then default ipt_LOG generates the internal loggings, 22which can be overridden by the module parameter 'takeover' of 23the ipt_ULOG module: 24 25 modprobe ipt_ULOG takeover=1 26 27The NOTRACK target can be used to select which packets *not* 28to enter the conntrack/NAT subsystems. Please keep in mind: 29if you mark a packet with NOTRACK, then 30 31- all the conntrack functionalities are lost for the packet 32 (ICMP error tracking, protocol helpers, etc) 33- all the NAT functionalities are also lost. 34 35Packets marked with NOTRACK can be matched by the 'UNTRACKED' 36state. Example 37 38# Very busy webserver 39iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j NOTRACK 40iptables -t raw -A PREROUTING -s 1.2.3.4 -p tcp --sport 80 -j NOTRACK 41... 42 43# filter rules 44iptables -A FORWARD -m state --state UNTRACKED -j ACCEPT 45 46