01.11.2010, 22:42, "Jan Engelhardt" <jengelh@xxxxxxxxxx>: > On Monday 2010-11-01 20:06, "Oleg A. Arkhangelsky" wrote: > >> Hello, >> >> Maybe I'm wrong, but the last line of icmp_error_message() from >> net/ipv4/netfilter/nf_conntrack_proto_icmp.c seems illogical to me. >> Should it be return NF_ACCEPT, instead of -NF_ACCEPT? > > (Same with icmpv6.c) > > Hmm! Maybe that explains why the ICMPv6 packets from my HE tunnel are > all -m conntrack --ctstate INVALID? Very likely. I'm using IPv4 NAT and see ICMP unreachables left my "outside" interface not translated (with RFC1918 address in src). Apparently this packets have INVALID state due to invalid return. I'll check it later. -- wbr, Oleg. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
