On Sat, Jan 18, 2020 at 01:10:50PM +0100, Jiri Wiesner wrote: > The netlink notifications triggered by the INIT and INIT_ACK chunks > for a tracked SCTP association do not include protocol information > for the corresponding connection - SCTP state and verification tags > for the original and reply direction are missing. Since the connection > tracking implementation allows user space programs to receive > notifications about a connection and then create a new connection > based on the values received in a notification, it makes sense that > INIT and INIT_ACK notifications should contain the SCTP state > and verification tags available at the time when a notification > is sent. The missing verification tags cause a newly created > netfilter connection to fail to verify the tags of SCTP packets > when this connection has been created from the values previously > received in an INIT or INIT_ACK notification. > > A PROTOINFO event is cached in sctp_packet() when the state > of a connection changes. The CLOSED and COOKIE_WAIT state will > be used for connections that have seen an INIT and INIT_ACK chunk, > respectively. The distinct states will cause a connection state > change in sctp_packet(). This problem shows through conntrack -E, correct? Thanks.