On Wed, 3 Oct 2007, Krzysztof Oledzki wrote: > Does this same error exist in 2.6.22? Yes, and in earlier releases as well: as far as I see the bug was introduced by nf_conntrack. > BTW: what is your opinion about > net.netfilter.nf_conntrack_tcp_timeout_time_wait? We already "violate" the RFC. And considering other IP stacks, in order to avoid all unnecessarily blocked late packets, we should probably set the timeout value back to 2*MSL. By setting it to 1MSL we try to find the proper balance between "not too much blocked late packets" and "get rid of conntrack entries as fast as possible". Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html