Hi,
If the conntrack is in ESTABLISHED state, will it still in this state
after the ipt_REJECT send the RST packet?
If yes, I think this is an issue.
Thanks,
-Bryan
On Tue, Dec 29, 2009 at 3:37 PM, Xiong Wu <xiong.wu1981@xxxxxxxxx> wrote:
>
> Hi All,
>
> I found the TCP RST packet sent from ipt_REJECT target isn't able to
> update related conntrack state.
>
> I install a 2.6.30.10 kernel as a router and add a iptables rule with
> REJECT target to reset specific connections. However I found when
> the packets is handled by the ipt_REJECT and the TCP RST packet is
> sent, the related conntrack state isn't updated to CLOSE state.
>
> Then I review the ipt_REJECT codes. I found the target attach the old
> conntrack to RST packet as:
> {
> nf_ct_attach(nskb, oldskb);
> ip_local_out(nskb);
> }
>
> Therefor the nf_conntrack_in() will ignore this RST packet due to the
> nfct is valid in skb.
> {
> if (skb->nfct) {
> NF_CT_STAT_INC_ATOMIC(net, ignore);
> return NF_ACCEPT;
> }
> }
>
>
> Is there any reason to attach the old conntrack to new RST skb? I
> think let the RST packet lookup and update related conntrack is
> better.
>
>
> Thanks,
> Sean
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Thanks,
-Bin
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
