Daniel Collins <daniel.collins@xxxxxxxxxxxxxx> wrote: > NF_ACCEPT'd using nfq_set_verdict and forwarded on by the kernel, as > expected. Any packets transmitted within a small window (microseconds, > depending on hardware) after the first packet, are received by the > userspace program, the call to nfq_set_verdict suceeds but the kernel > doesn't forward the packet on. Any packets transmitted after this > window are received and forwarded correctly. > > Is this a known issue? Yes. The packets are tossed because the conntrack they're associated with is unconfirmed, and on reinject they clash with the unconfirmed ct of the 1st packet that has been inserted into the conntrack table. The packets that arrive after the first packet has left the box go through because the conntrack lookup finds an existing entry. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
