iptables allows querying for 4 states: NEW, ESTABLISHED, RELATED, INVALID The first three are pretty obvious. What exactly are the semantics of the INVALID state ? My setup involves a firewall on a bridge and a dual-NIC protected machine Network A -- Protected machine -- Network B -- Firewall The protected machine has asymmetric routing. A ping arriving via network A is replied via network B. The reply packet is seen as part of an INVALID connection. Same thing happens for a SYN packet from network A, which leads to a SYN-ACK on network B. I read somewhere that an ACK packet belonging to a non-existing connection, for example, will be in NEW state. I was assuming that SYN-ACK will behave the same. So when is a connection considered INVALID ? P.S: By now this is a theoretical question, as the asymmetric routing was a misconfiguration. Nevertheless, I am trying to understand what happened. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
