Patrick McHardy wrote: > Pablo Neira Ayuso wrote: >> Patrick McHardy wrote: >>> Pablo Neira Ayuso wrote: >>>>> I think it would be better to keep the default timeout of >>>>> nf_ct_icmp_timeout even after the echo reply is received. Feel free >>>>> to correct me why early deleting of ICMP conntrack entries is needed, >>>>> or consider applying the following patch. >>>> The only problem that I see is that you patch relaxes the current >>>> checking that we're doing. I mean, for every packet in one direction we >>>> only accept one ICMP reply packet. With your patch, we can accept more >>>> than one packet in the reply direction. >>> Thats the intention, isn't it? :) I don't see a problem with this, >>> conntrack is supposed to accept valid responses and I don't think >>> its unreasonable to consider duplicate echo-replies as valid. >> >> I only wanted to point with this patch we're doing more relaxed ICMP >> tracking, but I'm fine with this. >> >> BTW, with this patch, we can add state synchronization in conntrackd for >> ICMP (some bits are still missing to support this). This is something >> that I don't particularly find very useful, but some people have >> requested this. > > I guess this really helps for a "ping-demonstration" where you pull the > plug and the ping keeps running :) Indeed :). For some strange reason, this seems to be one of the very first tests that people do to make sure that their HA firewall works. -- "Los honestos son inadaptados sociales" -- Les Luthiers -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
