Here is my partial analysis of the code (2.6.24) , trying to understand what INVALID state means. Feedbacks are appreciated. - init_conntrack calls l4proto->new. If a zero value is returned, nf_conntrack_free is called and the packet's connection is considered INVALID - l4proto->new can be one of - tcp_new - Determines the new state according to tcp_conntracks - Returns 0 in these cases: - The new state is invalid - The new state is not SYN_SENT, and loose TCP is turned off - icmp_new - Return 1 only for ICMP: ECHO, TIMESTAMP,INFO_REQUEST,ADDRESS - icmpv6_new - Return 1 only for ECHO, NI_QUERY - sctp_new - (not sure of the details) - A list of functions which always return 1; i.e. never produce an INVALID state - udp_new - new (@nf_conntrack_proto_generic.c) - gre_new - udplite_new -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
