Hi list,
The failure to conduct a simple test with conntrack makes me believe,
that I misunderstood some part of the concept.
The testcase:
* Create one forwarded tcp connection via iptables-firewall and leave it
open
* Delete the conntrack entry of this connection
* Readd the same conntrack entry with conntrack -I
* Verify, that old and new entry looked the same (conntrack -L)
* Send one more byte over the still open tcp connection
The expected result:
* TCP flow continues without creating a new conntrack entry, using the
one added manually
* ACCEPT via ESTABLISHED rule because of valid conntrack entry
The actual result:
* Conntrack code seems to believe, that packets do not belong to
conntrack entry
* Conntrack code does not create new conntrack entry
* Conntrack code cannot update conntrack-entry even when packet is accepted.
Can someone enlighten me, if manual entry creation is possible?
Thanks, Roman
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html