Hi, If the conntrack is in ESTABLISHED state, will it still in this state after the ipt_REJECT send the RST packet? If yes, I think this is an issue. Thanks, -Bryan On Tue, Dec 29, 2009 at 3:37 PM, Xiong Wu <xiong.wu1981@xxxxxxxxx> wrote: > > Hi All, > > I found the TCP RST packet sent from ipt_REJECT target isn't able to > update related conntrack state. > > I install a 2.6.30.10 kernel as a router and add a iptables rule with > REJECT target to reset specific connections. However I found when > the packets is handled by the ipt_REJECT and the TCP RST packet is > sent, the related conntrack state isn't updated to CLOSE state. > > Then I review the ipt_REJECT codes. I found the target attach the old > conntrack to RST packet as: > { > nf_ct_attach(nskb, oldskb); > ip_local_out(nskb); > } > > Therefor the nf_conntrack_in() will ignore this RST packet due to the > nfct is valid in skb. > { > if (skb->nfct) { > NF_CT_STAT_INC_ATOMIC(net, ignore); > return NF_ACCEPT; > } > } > > > Is there any reason to attach the old conntrack to new RST skb? I > think let the RST packet lookup and update related conntrack is > better. > > > Thanks, > Sean > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Thanks, -Bin -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html