Re: Packet marked wrongly as INVALID?

[Patrick McHardy <kaber@xxxxxxxxx>]

Marco Innocenti wrote:
> Hi,
>     on a couple of production server I get routinely some packet which 
> should be marked as NEW are marked as INVALID and I'm unable to 
> understand why or to reproduce the problem in a testing environment.
> I use distribution kernel (SUSE 2.6.16.60-0.58.1-smp and Debian 
> 2.6.26-2-amd64) on intel (64 bit) but I could try a recent kernel if 
> need arise.
>
>
> Jul  1 09:14:44 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
> MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
> DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47760 DF PROTO=TCP 
> SPT=53816 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Jul  1 09:16:18 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
> MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
> DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=13606 DF PROTO=TCP 
> SPT=54446 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Jul  1 09:16:34 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
> MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
> DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=15917 DF PROTO=TCP 
> SPT=54694 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Jul  1 09:16:55 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
> MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
> DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=22772 DF PROTO=TCP 
> SPT=54863 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

"echo 6 > /proc/sys/net/netfilter/nf_conntrack_log_invalid" will make
conntrack log the reason for marking the packets as INVALID.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html