On Monday 2010-11-15 22:50, Mr Dash Four wrote: > >>> Any ideas? The connection is definitely not tracked and could be seen with >>> netstat from local to the remote point on the VPN. >>> >> >> No idea. If I were to look at the system directly maybe. >> > If I can help you with providing some more info I would - just let me know, but > the connection is definitely there and is definitely not tracked. When I > execute 'netstat --inet -an' I get it listed, like: > udp 0 0 10.1.1.2:51602 10.1.1.1:5351 > ESTABLISHED > > This is not showing with "cat /proc/net/nf_conntrack | grep 5351" or "cat > /proc/net/nf_conntrack | grep 51602" Well yes you said that already. BTW, netstat is obsolete, use ss. The cat is also not necessary (Useless use of cat), just use grep, but alas, the conntrack the utility is a better solution. The first thing I'd probably do is add a -p udp --dport 5351 -j LOGMARK (xtables-addons) target rule in the mangle table to check for the ct status. After that, it's pretty much kernel code debugging in nf_conntrack_proto_udp.c, doing a spatial bisect for where the ct gets (not) created. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
