[PATCH 0/3] nf_conntrack: fixes for nf_ct_attach in IPv6 stack

Patrick McHardy kaber at trash.net
Tue Feb 14 17:26:32 CET 2006


Yasuyuki KOZAKAI wrote:
> From: Patrick McHardy <kaber at trash.net>
> Date: Mon, 13 Feb 2006 17:44:30 +0100
> 
>>
>>The reason why we manually attach these references (at least for ICMP)
>>is because the packet might be in the middle of two NAT manips and
>>unrecognizable for conntrack. For IPv6 this should be irrelevant. I'm
>>not sure why it is done for TCP RSTs, they should always be properly
>>tracked anyway.
> 
> 
> It's common case for me that the conntrack of original TCP packet is
> unconfirmed at processing in REJECT target. In this case, TCP RST
> generated by REJECT causes to create new conntrack. I don't think
> that is good behavior. That can be said about sending ICMPv6 error.

Unless I'm missing something, that shouldn't happen.
__{ip,nf}_conntrack_confirm check that the packet is in direction
IP_CT_DIR_ORIGINAL before confirming the conntrack.



More information about the netfilter-devel mailing list