Hello, From: Jan Engelhardt <jengelh@xxxxxxxxxx> Date: Mon, 1 Nov 2010 20:42:55 +0100 (CET) > On Monday 2010-11-01 20:06, "Oleg A. Arkhangelsky" wrote: > > >Hello, > > > >Maybe I'm wrong, but the last line of icmp_error_message() from > >net/ipv4/netfilter/nf_conntrack_proto_icmp.c seems illogical to me. > >Should it be return NF_ACCEPT, instead of -NF_ACCEPT? -NF_ACCEPT should be returned. ICMP error is the special packet and icmp_error_message() assigns IP_CT_RELATED to ctinfo itself. nf_conntrack_in() is unnecessary to resolve ctinfo as normal packets, so icmp_error_message() returns -NF_ACCEPT. > (Same with icmpv6.c) > > Hmm! Maybe that explains why the ICMPv6 packets from my HE tunnel are > all -m conntrack --ctstate INVALID? > > (Ref.: http://www.spinics.net/lists/netfilter-devel/msg13247.html ) I think this is another issue. Maybe fragmentation is related to it ? -- Yasuyuki Kozakai -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
