On Wed, 18 Jun 2008, Jan Engelhardt wrote: > On Wednesday 2008-06-18 20:03, Gáspár Lajos wrote: > > > Douglas Rabe írta: > >> > >> I dont understand why this traffic is dropped? > >> > >> Jun 18 17:03:39 iahabs1 kernel: IN_DROP: IN=eth0 OUT= > >> MAC=00:1c:23:ca:ec:1d:00:1b:53:87:68:c0:08:00 SRC=10.192.130.104 > >> DST=192.168.51.1 LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=5563 DF PROTO=TCP > >> SPT=35557 DPT=80 WINDOW=65149 RES=0x00 ACK FIN URGP=0 > > > > Because it is a FIN packet... = ! (NEW,RELATED or ESTABLISHED) but > > INVALID !!! > > Seriously, FIN packets should not be dropped, otherwise a connection > is lurking around until it times out. Absolutely true. FIN packets which are OK according to conntrack are marked as ESTABLISHED (or RELATED). Without knowing the kernel version, one can only assume that it's the last packet of the stream which arrived too late: conntrack already deleted the the corresponding conntrack entry and therefore it could be categorized as INVALID only. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
