On Thursday 2011-08-11 12:12, Jozsef Kadlecsik wrote: >> Packets are >> being matched as INVALID when we would expect them to be ESTABLISHED. >> We are running on kernel 2.6.30.5 on X86_64 with CentOS 5.4 and >> iptables-1.3.5-5.3.el5_4.1. >> [...] >> Aug 11 03:29:19 fw01 kernel: FORWARD INVALID IN=bond1 OUT=bond4 >> SRC=172.x.y.73 DST=172.x.z.34 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=32940 >> DF PROTO=TCP SPT=8080 DPT=52999 WINDOW=34 RES=0x00 ACK FIN URGP=0 > >Those are, with high probabilty, late FIN packets: the belonging conntrack >entry has already been deleted and thus conntrack cannot find the matching >stream, therefore it sets as INVALID. Should not FIN retransmissions ideally be classified as ESTABLISHED (or perhaps a new state) as long as the final ACK has not been seen? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
