[PATCH 0/3] nf_conntrack: fixes for nf_ct_attach in IPv6 stack

Jozsef Kadlecsik kadlec at blackhole.kfki.hu
Tue Feb 14 21:41:59 CET 2006


On Tue, 14 Feb 2006, Patrick McHardy wrote:

> Yasuyuki KOZAKAI wrote:
> > IIRC, __{ip,nf}_conntrack_confirm is called at POSTROUTING and INPUT,
> > after all processing of packet filter. If I do
> >
> > 	ip6tables -A FORWARD -p tcp --dport 22 -j REJECT
> >
> > on my router, the conntrack of TCP SYN packet of ssh will never confirmed
> > and then nf_conntrack will create new conntrack for TCP RST at OUTPUT.
>
> RSTs and ICMP errors without existing connections should be ignored
> by conntrack (and marked as INVALID). Are you sure the RSTs create
> new conntracks?

Marking packets created by the REJECT target as INVALID would break
the functionality of the target itself. Even if there is no real
"master" connection, RELATED was more appropriate.

Best regards,
Jozsef
-
E-mail  : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary



More information about the netfilter-devel mailing list