On 26/07/10 13:13, Jan Engelhardt wrote: > > On Monday 2010-07-26 13:09, Pablo Neira Ayuso wrote: >>>>> >>>>> Means packets are tagged as INVALID. >>>> >>>> Indeed. You have to add a rule to drop invalid packets before the CLUSTERIP >>>> rule to avoid this message. >>> >>> Hm, couldn't we just drop the message? There are many other components >>> in Netfilter that silently bail out when nf_ct_get returns NULL, like >>> xt_connlimit. >> >> Yes, it's a good idea for the short run. >> >> In the long run, we should deprecate CLUSTERIP since it has been superseded by >> the cluster match. However, I wanted to document the new approach before doing >> so (I found no spare time to do it). >> >> IIRC, the message is only displayed if netfilter debugging is enabled. > > pr_info it says. Then, it would better to use pr_debug instead. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html