On Thu, 12 Feb 2009, Patrick McHardy wrote:
If the connection has already timed out (from conntracks perspective),
it has lost its state. Unless connection pickup is enabled, the packet will be marked as INVALID because it doesn't belong to a connection.
You can control dropping of these packets yourself by adding the
appropriate "-m state --state INVALID" rules.
I tried adding a rule to log these unaccounted-for packets. Nothing showed up, even when I could see the packets being sent.
That said, there were
some bugs in the past few releases that caused some bad interaction
between TCP and TCP conntrack (not sure anymore which one of both was
to blame). Its possible that this is the root cause for this, so
you might want to consider a kernel update.
It does sound like the result of a bug. Do you have any pointers to patches or locations to check in the source?