I am going to conntrack and NAT for a udp traffic with destination port 4. in the conntrack helper() i did so: if (ct->status & IPS_NAT_MASK){ printk("going to ALG part after NAT\n"); ret = NF_QUEUE; } The first query (with dport 4) packet after MASQUERADE goes into the application layer gateway with NF_QUEUE into userspace, where the payload can be further changed. Then i use ipq_set_verdict() with verdict NF_ACCEPT to forward it. But when the response in the other direction comes, it cannot be recognized as the reply of the query. I think the entry of nf_conntrack of the first query packet has been lost, because when i just use MASQUERADE without userspace processing, the response will be marked correct as IP_CT_IS_REPLY. I have printed out the conntrack tuple when the helper()is called, for the Query, ctinfo = IP_CT_NEW; the original tuple is: 10.21.22.21:4 -> 10.23.24.24:4 l3num:2 protonum:17 the reply tuple: 10.23.24.24:4 -> 10.22.23.22:4 l3num:2 protonum:17 10.21.22.21 is the ip address of querying node, 10.22.23.22 is the NAT and 10.23.24.24 is the responding node. As for the Response: ctinfo = IP_CT_NEW(which should be IP_CT_IS_REPLY) original tuple: 10.23.24.24:4 -> 10.22.23.22:4 l3num:2 protonum:17 reply tuple: 10.22.23.22:4 -> 10.23.24.24:4 l3num:2 protonum:17 Is there someone could help me figure this out?? best regards!! -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html