Re: [BUG] SNAT sometimes allows packets to pass through unchanged

[Patrick McHardy]

Alan Stern wrote:
> On Thu, 12 Feb 2009, Patrick McHardy wrote:
>
> > If the connection has already timed out (from conntracks perspective),
> > it has lost its state. Unless connection pickup is enabled, the packet 
> > will be marked as INVALID because it doesn't belong to a connection.
> > You can control dropping of these packets yourself by adding the
> > appropriate "-m state --state INVALID" rules.
>
> I tried adding a rule to log these unaccounted-for packets.  Nothing 
> showed up, even when I could see the packets being sent.

Where (table/chain/position) did you add this rule?

> > That said, there were
> > some bugs in the past few releases that caused some bad interaction
> > between TCP and TCP conntrack (not sure anymore which one of both was
> > to blame). Its possible that this is the root cause for this, so
> > you might want to consider a kernel update.
>
> It does sound like the result of a bug.  Do you have any pointers to 
> patches or locations to check in the source?

Sorry, there were quite a few patches and I don't remember which
ones exactly are related.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/