On Wednesday 2008-06-18 22:21, Jozsef Kadlecsik wrote: >> Seriously, FIN packets should not be dropped, otherwise a connection >> is lurking around until it times out. > >Absolutely true. FIN packets which are OK according to conntrack are >marked as ESTABLISHED (or RELATED). No, only connections that would have been NEW can be RELATED (i.e. RELATED is an augmented NEW state), all other packets are ESTABLISHED only, be it related or not. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
