[PATCH 0/3] nf_conntrack: fixes for nf_ct_attach in IPv6 stack
Harald Welte
laforge at netfilter.org
Wed Feb 15 08:47:40 CET 2006
On Tue, Feb 14, 2006 at 09:41:59PM +0100, Jozsef Kadlecsik wrote:
> On Tue, 14 Feb 2006, Patrick McHardy wrote:
>
> > Yasuyuki KOZAKAI wrote:
> > > IIRC, __{ip,nf}_conntrack_confirm is called at POSTROUTING and INPUT,
> > > after all processing of packet filter. If I do
> > >
> > > ip6tables -A FORWARD -p tcp --dport 22 -j REJECT
> > >
> > > on my router, the conntrack of TCP SYN packet of ssh will never confirmed
> > > and then nf_conntrack will create new conntrack for TCP RST at OUTPUT.
> >
> > RSTs and ICMP errors without existing connections should be ignored
> > by conntrack (and marked as INVALID). Are you sure the RSTs create
> > new conntracks?
>
> Marking packets created by the REJECT target as INVALID would break
> the functionality of the target itself. Even if there is no real
> "master" connection, RELATED was more appropriate.
I totally agree. Also, we have to keep 100% semantic compatibility with
the existing ip_conntrack setups, otherwise we'd confuse users and
create lots of broken packet filters.
--
- Harald Welte <laforge at netfilter.org> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20060215/78cde869/attachment.pgp
More information about the netfilter-devel
mailing list