Hi, On Thu November 13 2008, Gilad Benjamini wrote: > - init_conntrack calls l4proto->new. If a zero value is returned, > nf_conntrack_free is called and the packet's connection is considered > INVALID In fact, the packet isn't marked "INVALID", there is just xt_state.c, who detects an invalid packet, if nf_ct_get(...) returns 0 or null. Which means, that skb->nfct == NULL. Which in turn means, that nf_conntrack_in doesn't assigned a connection to the packet. And that will be the case, if any of these calls return a negative value (take a look at nf_conntrack_in and the functions it's calling): l3proto->get_l4proto l3proto->pkt_to_tuple l3proto->invert_tuple l4proto->error l4proto->pkt_to_tuple l4proto->invert_tuple l4proto->new l4proto->packet nf_conntrack_alloc So, there can be A LOT of cases, where conntrack detects an invalid packet... -- Christoph Paasch www.rollerbulls.be -- -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
