Hi Jeff, On Fri, 1 Feb 2008, Jeff Chua wrote: > I recaptured it again, and attached are the logs. [...] Thank you! One can see a plain connection-initiating SYN, which triggers the message. No reply from the server, then three seconds later comes a retransmitted SYN and immediately after the SYN/ACK reply. What makes it interesting is that the first SYN was let through by the conntrack: it was *not* blocked at all. In the dump file there is no other previous connection between 127.0.0.1:1021 -> 127.0.0.1:515. But there must be a previous connection which was not captured by tcpdump. Could I ask you to make two another tests? (I have been unable to reproduce the bug so far, but it must be my fault.) In both cases enable loggin invalid messages as Patrick wrote in a previous mail: # modprobe ipt_LOG # echo 255 >/proc/sys/net/netfilter/nf_conntrack_log_invalid In the first case run the unpatched 2.4.24 kernel and before doing any printing, start dumping all the traffic at the 515 port so that we won't miss any connection and send the dump file: # tcpdump -i lo -s 0 -w dump.pcap tcp port 515 In the second case run the patched kernel and just start printing: do you get any 'nf_ct_tcp: invalid SYN' kernel message? Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html