[Bug 565] New: Problems with NOTRACK

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Sat Dec 20 09:07:17 CET 2008


           Summary: Problems with NOTRACK
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: i386
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ip_conntrack
        AssignedTo: laforge at netfilter.org
        ReportedBy: turbo-drive at mail.ru

Debian etch (Linux ktmlaggregator 2.6.18-6-xen-686)

Disable forwarding packets from local network to next gateway:
iptables -t raw -I PREROUTING -d ! -j NOTRACK

In FORWARD chain set verify:
iptables -t filter -I FORWARD -m state --state UNTRACKED -j LOG
In messages log - writing many messages - its right, NOTRACK working.

In FORWARD chain set verify:
iptables -t filter -I FORWARD -m state --state NEW -j LOG
In messages log - no iptables messages - its right, NOTRACK working.

BUT! /proc/net/ip_conntrack contains many-many lines as:
tcp      6 170464 ESTABLISHED src= dst= sport=56085
dport=4987 packets=53990 bytes=41071003 [UNREPLIED] src=
dst= sport=4987 dport=56085 packets=0 bytes=...

I wait 3 days - same situation...

After reboot, ip_conntrack no more containing this lines.

