Conntrack assumes an unconfirmed entry (not yet committed to global hash table) has a refcount of 1 and is not visible to other cores. With multicast forwarding this assumption breaks down because such skbs get cloned after being picked up, i.e. ct->use refcount is > 1. Likewise, bridge netfilter will clone broad/mutlicast frames and all frames in case they need to be flood-forwarded during learning phase. For ip multicast forwarding or plain bridge flood-forward this will "work" because packets don't leave softirq and are implicitly serialized. With nfqueue this no longer holds true, the packets get queued and can be reinjected in arbitrary ways. Disable this feature. After this patch, nfqueue cannot queue packets except the last multicast/broadcast packet. Alternatives: - queue, but zap skb->nf_conn . Problem: On reinject, packet would match INVALID state. - same, but make them untracked. Slightly better, but not by much. - check if NAT was applied or not. If not, we could theoretically queue and then relookup the conntrack on reinject. This would create a new entry in established, new or invalid state (userspace can munge the packet). ATM I would prefer to go with the minimal solution which is to disable this feature.
