Jozsef Kadlecsik wrote: > Hi Krzysztof, > >>--- example #1 begin --- > > [...] > > The last sequence number ACK-ed by the server is 3235585701. The ISN sent > by the client at reopening is 2494249856, which is not after the largest > sequence number used in the previous session. > > >>--- example #1 begin --- > > [...] > > > And the same here: largest seq is 3536556183, but the ISN is 3521103209. > > It seems to me conntack is just right. thats true, but I'm wondering, is there any benefit in being strict about this? The chances of accidentally reopening an old connection are a lot smaller than breaking things as in this case. Or maybe we could add PAWS checks, although that would increase the conntrack size by another 8 bytes. Krzysztof, does the problem disappear if you use something like 30 s for the TIME_WAIT timeout? - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
