Hi All,
I found the TCP RST packet sent from ipt_REJECT target isn't able to
update related conntrack state.
I install a 2.6.30.10 kernel as a router and add a iptables rule with
REJECT target to reset specific connections. However I found when
the packets is handled by the ipt_REJECT and the TCP RST packet is
sent, the related conntrack state isn't updated to CLOSE state.
Then I review the ipt_REJECT codes. I found the target attach the old
conntrack to RST packet as:
{
nf_ct_attach(nskb, oldskb);
ip_local_out(nskb);
}
Therefor the nf_conntrack_in() will ignore this RST packet due to the
nfct is valid in skb.
{
if (skb->nfct) {
NF_CT_STAT_INC_ATOMIC(net, ignore);
return NF_ACCEPT;
}
}
Is there any reason to attach the old conntrack to new RST skb? I
think let the RST packet lookup and update related conntrack is
better.
Thanks,
Sean
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
