(please keep the netfilter-devel list in CC) On 21 October 2016 at 09:18, Mathew Heard <mat999@xxxxxxxxx> wrote: > That's been covered already. > > The problem with it is that only the ORIG side of the connection ends > up set. REPLY does not. > > I don't know the fundamental reason why this occurs, only the effect. > In that same function, in conntrackd: http://git.netfilter.org/conntrack-tools/tree/src/netlink.c#n256 we set the same flags in both original and reply directions: nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags); nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
