a) in ‘mangle’ I see also the accept/drop/reject actions. I though mangle is intended for marking traffic, not for making decisions on how to handle it? Or is the ‘mangle’ table just a normal firewall table that is just consulted first before the ‘filter’?
b) What is the ‘hotspot’ match in both mangle/filter? The wiki only says:
a) does connection-state=!established,related mean: !(established,related) (ie neither) or !established, but related?
I hope the former as there is no way to say !established,!related either, but the doco is sketchy
b) does connection-state=invalid equal: not new, not established and not related, or is that a separate state?
Mangle is for mangling packets. It has an accept action but not drop or reject.
I believe you are correct on this one. If you create a hotspot you will see a number of auto generated rules which use these different states to create jump actions. Most of the time you will not need to match these states on your own.
In my experience it means connection-state=!(established,related).
Its a unique state or at least one that still allows new through. I have my invalid drop rule at the very top right below the established,related allow rule. My new traffic still makes its way through the appropriate rules.
What is ‘connection-nat-state’ ? The wiki doesn’t say either.
This along with the connection state checkboxes are new as of ROS 6.22. The release notes offer the following insight:
*) improved connection-state matcher in firewall - can match multiple states in one rule, supports negation;
*) added connection-nat-state matcher - can match connections that are srcnatted,dstnatted or both;
Think of it as a way to create a allow all rule for dst-nat or src-nat traffic with out needing to generate both the NAT table rule and the filter table rule
You’re right. So ‘accept’ here only means that it stops processing the ‘mangle’ table, but doesn’t also skip the normal firewall tables (so there is still a chance to drop it? Or does that make it just accept the packet as it bypassing the main firewall?
As bajodel mentioned each table evaluated independently as each have a different function. If you look at the data flow diagrams at the link below helps it make more sense.