On Tue, Jul 29, 2008 at 02:30:14PM +0200, Jozsef Kadlecsik wrote: > > We always approximate the state of the sender from the packet it sends. As > packets can be lost in transit (i.e we see a packet but it'll be lost), we > cannot say for sure every time which is the actual state of *both* of the > parties. Therefore we do not even attempt to track both states. No I'm not suggesting that your state must be equal to that of each side, what I'm saying is that the TCP state machine is fundamentally divided into two directions. If you're going to track state at all you need to track both directions separately. Otherwise the state transitions are simply bogus. For example, TIME_WAIT is a state that only makes sense if you look at a given direction. The other direction may well still be ESTABLISHED. As it is netfilter will lower the timeout when only a single direction has been shut down, thus causing the connection to be prematurely killed. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
