Your comment about gre really nudged me in the right direction. After refining my logging rules I have found that incoming tcp packets with destination port 21 or 1723 would trigger the nf_conntrack message. This now makes sense since I have assigned helpers for the outgoing packets but not incoming packets. My mistake was assuming that connection tracking helpers applied only outgoing packets. I was also puzzled as to why udp packets with destination port 5060 (and other default ports for protocols for which there is a conntrack helper) would not trigger the message but I assume that is because nf_conntrack_sip is not loaded. -- Mauro Santos -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
