Pekka Pietikäinen <pp@xxxxxxxxxx> wrote: > On 24/10/13 15:05, Eric Dumazet wrote: > >sk_state 7 means TCP_CLOSE > > > >I do not see how a TCP_CLOSE socket can be matched... > > > Yep, TCP_CLOSE can't be right, sk_state isn't correct with early > demux perhaps? What is weird is that early_demux should NOT influence xt_socket because from the rules you posted you are using this in PREROUTING, which is before tcp early demux magic. Do you have any other netfilter rules (-j TPROXY perhaps?) that could explain why the skb has a socket attached in the first place by the time it ends up in the netfilter socket match? [ ip_rcv() orphans the skb before netfilter prerouting, so skb->sk should be NULL ] -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
