bugzilla-daemon@netfilter.org
2003-Mar-20 10:00 UTC
[Bug 66] INPUT REJECT target needs state creation in OUTPUT
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=66 ------- Additional Comments From laforge@netfilter.org 2003-03-20 11:00 ------- what kernel are you running? which patches (from patch-o-matic) did you apply? please give us some more information :) ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Mar-20 10:24 UTC
[Bug 66] INPUT REJECT target needs state creation in OUTPUT
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=66 ------- Additional Comments From netfilterbug@shemesh.biz 2003-03-20 11:24 ------- My appologies. It was so clear to me that this was a logic error that I didn't think it would matter. I am using a distribution kernel, so I'm not sure what patches are installed (if any that affect the IPTables code). The kernel is a Debian woody kernel 2.4.18-686 revision 2.4.18-5. What I believed is the cause of this problem (without looking at the code), was that a SYN packet creates a connection, and that the Reset passes the OUTPUT on that state (via the -m state -state ESTABLISHED rule). A packet with no flags at all did not create the connection, and therefor did not pass the OUTPUT chain. Checking the counters, however, reveals this theory to be false. The reject sent for TCP SYN packets does not modify any counters, while the reject sent for TCP no-flags packet requires an output rule allowing a reset. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Mar-30 19:12 UTC
[Bug 66] INPUT REJECT target needs state creation in OUTPUT
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=66
laforge@netfilter.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From laforge@netfilter.org 2003-03-30 21:12 -------
the TCP RST packet is (like ICMP error messages sent by REJECT) marked as
RELATED.
I'm a bit undecided whether we should mark it ESTABLISHED because it behaves
like a TCP stack at one end of a connection, or if we should mark it RELATED
because all packets generated by REJECT are RELATED.
Any way we chose, it will be inconsistent with something.
So I think we will keep the current behaviour and have it marked RELATED.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Maybe Matching Threads
- [Bug 49] TCP conntrack entries with huge timeouts
- [Bug 71] dnat breaks connection tracking?
- [Bug 792] New: ip_conntrack keep updating incorrect entry in conntrack table after default routing changed
- [Bug 39] can't execute 'make modules'
- [Bug 566] New: Snapshot does not contain any file