Hi , I have come across something that I am starting to think is a bug , but before I start upgrading and other works lets see if I missed something ! I have log entries like these May 28 10:47:13 zotac kernel: INVALID-STATE IN=vlan0 OUT= MAC=# SRC=189.222.120.167 DST=# LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=5745 PROTO=TCP SPT=21735 DPT=56715 WINDOW=0 RES=0x00 ACK RST URGP=0 I have used conntrack -E -o timestamp and added logging with echo 255 > /proc/sys/net/netfilter/nf_conntrack_log_invalid from what I can see there is no "kernel: nf_ct_tcp: " entries at the moment of the DROP of ACK RST and there is an entry in conntrack for this session that should allow ACK RST to terminate that session . when I do : zotac:~ # journalctl | grep nf_ct | grep " ACK RST " | grep -v " ACK RST FIN " May 26 22:35:31 zotac kernel: nf_ct_tcp: invalid RST IN= OUT= SRC=# DST=81.233.185.232 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=14841 PROTO=TCP SPT=7905 DPT=56206 SEQ=2244837322 ACK=835716258 WINDOW=0 RES=0x00 ACK RST URGP=0 I only find ONE result , but when I do : zotac:~ # journalctl | grep INVALID | grep " ACK RST " | grep -v " ACK RST FIN " | grep "May 2[678]" | wc 1590 38480 412611 I should have atleast 1000 + more nf_ct log entries to match all my INVALID ACK RST log entries . I have tried to spot some issues with TCPDUMPs , but all packets seems like normal ACK RST when I try to get same result "manually" by sending SYN packets "I just used "telnet IP PORT" to a port I found in my log ... I see the ACK RST telling me the port is blocked and I can't seem to find any issues with the packet ! Best regards André Paulsberg-Csibi Senior Network Engineer Fault Handling IBM Services AS andre.paulsberg-csibi@xxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
