On Monday 2010-07-26 13:09, Pablo Neira Ayuso wrote: >>>> >>>> Means packets are tagged as INVALID. >>> >>> Indeed. You have to add a rule to drop invalid packets before the CLUSTERIP >>> rule to avoid this message. >> >> Hm, couldn't we just drop the message? There are many other components >> in Netfilter that silently bail out when nf_ct_get returns NULL, like >> xt_connlimit. > > Yes, it's a good idea for the short run. > > In the long run, we should deprecate CLUSTERIP since it has been superseded by > the cluster match. However, I wanted to document the new approach before doing > so (I found no spare time to do it). > > IIRC, the message is only displayed if netfilter debugging is enabled. pr_info it says. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
