[PATCH 0/3] nf_conntrack: fixes for nf_ct_attach in IPv6 stack

Patrick McHardy kaber at trash.net
Tue Feb 14 19:13:16 CET 2006


Yasuyuki KOZAKAI wrote:
> IIRC, __{ip,nf}_conntrack_confirm is called at POSTROUTING and INPUT,
> after all processing of packet filter. If I do
> 
> 	ip6tables -A FORWARD -p tcp --dport 22 -j REJECT
> 
> on my router, the conntrack of TCP SYN packet of ssh will never confirmed
> and then nf_conntrack will create new conntrack for TCP RST at OUTPUT.

RSTs and ICMP errors without existing connections should be ignored
by conntrack (and marked as INVALID). Are you sure the RSTs create
new conntracks?



More information about the netfilter-devel mailing list