On Sun, 2 Oct 2005, Jozsef Kadlecsik wrote: > On Sun, 2 Oct 2005, Henrik Nordstrom wrote: > > > On Sun, 2 Oct 2005, Jozsef Kadlecsik wrote: > > > > > If a FIN receives which does not belong to any existing connection in > > > the conntrack table, which state should we assign to the "new" connection > > > "established" by the FIN? Was it the first FIN (half-closed session) or > > > the second FIN from the other direction? > > > > If you assume it's the second then it's a good approximation, and > > sufficient to push the TCP on the receiving host into a state from which > > there is a guaranteed timeout as it's then only waiting on itself to > > finish what it is doing. > > But that relies on the assumption that the receiver side wants to close > the session as well. If it enters the CLOSE_WAIT state instead, the > connection will hang anyway in spite of letting through the FIN and > assuming the LAST_ACK state. Hmmm, I must correct myself: the conntrack entry might get timed out, but then seeing the pure ACKs it picks up the connection again. Still: > However how would conntrack loose an (established) connection? Or are we > speaking of loading in conntrack "on the fly" when there are already > established connections flowing through the firewall? That's doable > but hairy and unreliable anyway due to the lost window scaling parameters. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
