"ulog" logging mode misses RELATED,ESTABLISHED connections
The rule of a logging policy with mode “ulog” it is added always after the RELATED and ESTABLISHED rules:
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o eth0 -j logulog-0
If ULOG is being used for netflow traffic accounting this cause the figures to be completely incorrect. I believe the same thing happens/applies with logging mode “NFLOG”.
(from redmine: issue id 2194, created on 2013-08-06, closed on 2013-08-15)