Am 07.02.2011 12:40, schrieb Pablo Neira Ayuso: > The TCP tracking code has a special case that allows to return > NF_REPEAT if we receive a new SYN packet while in TIME_WAIT state. > > In this situation, the TCP tracking code destroys the existing > conntrack to start a new clean session. > > [DESTROY] tcp 6 src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925 [ASSURED] > [NEW] tcp 6 120 SYN_SENT src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 [UNREPLIED] src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925 > > However, this is a problem for the iptables' CT target event filtering > which will not work in this case since the conntrack template will not > be there for the new session. To fix this, we reassign the conntrack > template to the packet if we return NF_REPEAT. > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > --- > net/netfilter/nf_conntrack_core.c | 11 +++++++++-- > 1 files changed, 9 insertions(+), 2 deletions(-) Nice catch. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
