Pablo Neira Ayuso wrote:
I think it would be better to keep the default timeout of
nf_ct_icmp_timeout even after the echo reply is received. Feel free
to correct me why early deleting of ICMP conntrack entries is needed,
or consider applying the following patch.
The only problem that I see is that you patch relaxes the current
checking that we're doing. I mean, for every packet in one direction we
only accept one ICMP reply packet. With your patch, we can accept more
than one packet in the reply direction.
Thats the intention, isn't it? :) I don't see a problem with this,
conntrack is supposed to accept valid responses and I don't think
its unreasonable to consider duplicate echo-replies as valid.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
