On Thu, Oct 20, 2016 at 11:00:49AM +0200, Arturo Borrero Gonzalez wrote: > According to Mathew Heard, the IP_CT_TCP_FLAG_BE_LIBERAL > is not being propagated properly while using userspace conntrackd to > replicate connections states in a firewall cluster. > > This change modifies the behaviour of the engine to always be liberal in > the reply direction if we were liberal in the original direction as well. > > More info in the Netfilter bugzilla: > https://bugzilla.netfilter.org/show_bug.cgi?id=1087 > > Suggested-by: Mathew Heard <mat999@xxxxxxxxx> > Signed-off-by: Arturo Borrero Gonzalez <arturo@xxxxxxxxxx> > --- > RFC: I don't fully understand this patch. Specifically, I don't understand > why this can't be done from userspace, in conntrackd, when creating/updating > synced conntracks. We could just set the new/updated conntrack with the flags > we want, don't we? > > Also, I don't fully understand the consecuences of doing this flags change > in the middle of tcp_packet(). > > So, please, review the patch and give us comments. There is a 'TCPWindowTracking' option that you can set on from the configuration file. Is that probably what Mathew needs? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
