[Bug 613] New: iptables not accepting RELATED, ESTABLISHED udp packets

[bugzilla-daemon at bugzilla.netfilter.org]

http://bugzilla.netfilter.org/show_bug.cgi?id=613

           Summary: iptables not accepting RELATED,ESTABLISHED udp packets
           Product: iptables
           Version: unspecified
          Platform: All
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P1
         Component: iptables
        AssignedTo: laforge at netfilter.org
        ReportedBy: bugzilla at jakemagee.com


My system sends out a UDP packet (snmptrap) to a server and expects to get a
UDP packet back (snmptrap -Ci).  However, the return UDP packet never reaches
the system (it is dropped).  I have the following rule set in the INPUT filter
table:

iptables -t filter -I INPUT -p all -m state --state ESTABLISHED,RELATED -j
ACCEPT

I see the following in my blocked log:
INPUT DROP: IN=ppp0 OUT= MAC= SRC=63.97.78.114 DST=70.218.8.48 LEN=134 TOS=0x00
PREC=0x00 TTL=113 ID=3422 PROTO=UDP SPT=4876 DPT=48204 LEN=114

And from /proc/net/ip_conntrack:
udp      17 57 src=70.218.8.48 dst=63.97.78.114 sport=41329 dport=162 packets=1
bytes=135 [UNREPLIED] src=63.97.78.114 dst=70.218.8.48 sport=162 dport=41329
packets=0 bytes=0 mark=0 use=2

TCP packets seem to work fine.  I originally thought that this was simply a
limitation of using UDP packets, but after reading this
http://www.linuxtopia.org/Linux_Firewall_iptables/x1544.html, I feel that
RELATED,ESTABLISHED UDP packets should work with iptables.  I have verified
that the sent UDP packet was sent successful and that the returned UDP packet
has the dport set to the original sent packet's sport.  Is this a bug or is my
rule incorrect?


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.