Back to my original question then: what is the rule of thumb ? In other words, for a non-programmer reading proper documentation, how would the documentation describe INVALID ? > -----Original Message----- > From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter- > owner@xxxxxxxxxxxxxxx] On Behalf Of Christoph Paasch > Sent: Thursday, November 13, 2008 2:31 PM > To: Gilad Benjamini > Cc: netfilter@xxxxxxxxxxxxxxx > Subject: Re: INVALID state > > Hi, > > On Thu November 13 2008, Gilad Benjamini wrote: > > - init_conntrack calls l4proto->new. If a zero value is returned, > > nf_conntrack_free is called and the packet's connection is considered > > INVALID > In fact, the packet isn't marked "INVALID", there is just xt_state.c, > who > detects an invalid packet, if nf_ct_get(...) returns 0 or null. Which > means, > that skb->nfct == NULL. Which in turn means, that nf_conntrack_in > doesn't > assigned a connection to the packet. > > And that will be the case, if any of these calls return a negative > value (take > a look at nf_conntrack_in and the functions it's calling): > l3proto->get_l4proto > l3proto->pkt_to_tuple > l3proto->invert_tuple > l4proto->error > l4proto->pkt_to_tuple > l4proto->invert_tuple > l4proto->new > l4proto->packet > nf_conntrack_alloc > > So, there can be A LOT of cases, where conntrack detects an invalid > packet... > > -- > Christoph Paasch > > www.rollerbulls.be > -- > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
