If 'nf_conntrack_tcp_loose' is off (the default), tcp packets that are outside of the current window are marked as INVALID. nf/iptables rulesets often drop such packets via 'ct state invalid' or similar checks. For overly delayed acks, this can be a nuisance if such 'invalid' packets are also logged. Since they are not invalid in a strict sense, just ignore them, i.e. conntrack won't extend timeout or change state so that they do not match invalid state rules anymore. This also avoids unwantend connection stalls in case conntrack considers retransmission (of data that did not reach the peer) as too old. Florian Westphal (4): netfilter: conntrack: remove pr_debug callsites from tcp tracker netfilter: conntrack: prepare tcp_in_window for tristate return value netfilter: conntrack: ignore overly delayed tcp packets netfilter: conntrack: remove unneeded indent level net/netfilter/nf_conntrack_proto_tcp.c | 257 ++++++++++++------------- 1 file changed, 119 insertions(+), 138 deletions(-) -- 2.34.1
