Ali Abdallah <ali.abdallah@xxxxxxxx> wrote: > This patch adds a new sysctl tcp_ignore_invalid_rst to disable marking > out of segments RSTs as INVALID. Just for archives: I am not sure this is still needed after the recent change, but I can see why its desirable to keep NAT working even when RST is invalid. I think that the more fundamental problem is the inability to permit setting a conntrack as INVALID while allowing NAT to work, i.e. move drop decision to ruleset. However, I see that this isn't easy to change. Therefore, Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
