Iptables itself is not TRACK target, so you do not need to be specified whitelist conntrack packet processing module, for example, I want to achieve: In addition to the source IP is required 192.168.10.0/16 segment is outside the track, others are not track .
Of course, you can achieve my needs through the following configuration:
iptables -t raw -A PREROUTING! -s 192.168.10.0/16 -j NOTRACK
... Reverse NOTRACK Similarly, -s -d change
If a little more complicated it? For example, in addition to the source IP restrictions, as well as protocol and port.
Familiar with the access control list design know, ACL "and" operation can be implemented in a single rule, and "or" action by a number of rules to achieve, and therefore used in the above-mentioned casually sophisticated needs, all you can do, even aside "single and / or multiple" principle, just to be a good expansion ipset out any complex configuration rules to meet the needs of any complexity.
But is there an easier way? Of course there is, and to achieve a NOTRACK opposing target, namely TRACK target can be. Its implementation is clear already attached to the skb of untracked conn. So that when I need to add track whitelist, I can do this:
iptables -t raw -A PREROUTING -j NOTRACK
iptables -t raw -A PREROUTING $ mt1 $ mt2 ... -j TRACK # single operation of matches AND
... # Plurality of matches OR operation
iptables -t raw -A PREROUTING $ mt''1 $ mt''2 ... -j TRACK
OK, it is so very simple.
However, iptables is no built-OR operation is fully in line with the concept of ACL, the concept, or if you want to achieve, you configure multiple rules, the fact that most of the authentication system is so idea. See C language of logic will find the same idea, if it is AND operation, and then one by one statement independent of the order, because in the end each statement must be calculated all over again, if it is an OR operation, and the computational efficiency on the order of about, as long as reached the "true" value, you can calculate the end, of course, or internal details and implementation-dependent. Therefore, the AND operation, because it is closed, you can include a statement go, but the OR is not closed, you do not know where the end of the calculation.