search for: conntrack_mt

...lists.netfilter.org ReportedBy: quentin at armitage.org.uk Estimated Hours: 0.0 Created attachment 427 --> https://bugzilla.netfilter.org/attachment.cgi?id=427 Patch to not allow any other conntrack matches with ctstate INVALID In the kernel net/netfilter/xt_conntrack.c function conntrack_mt, if there is no conntrack entry, the state is considered invalid. Then, a further check for no conntrack entry causes a return, before any other checks are made. An example is: iptables -A CHAIN -m conntrack --ctstate INVALID --ctproto tcp which would match a udp packet (or any other protocol), an...

Hello, I'm having problem setting up filtering traffic for a virtual machine managed by libvirt. Strange thing is, such a setup has been working fine for me on an older version of distro (namely, opensuse 11.3 w/updates, kernel 2.6.34, libvirt 0.8.8) but refused to work on shiny new opensuse 12.4 (kernel 3.7.10, libvirt 1.0.2). The definition of filter in question is pretty simple: