Hi, Tim Ritberg a écrit : >> For Netfilter connection tracking, a NEW TCP connection does not have to >> start with a SYN packet. If >> /proc/sys/net/netfilter/nf_conntrack_tcp_loose is set to 1 (default), >> Netfilter will try to pick up connection. By this mean, it is possible >> to recover a connection (in some fail-over case for example), but it >> introduces this looking-weird-at-first behaviour. >> >> BR, >> - -- >> Eric Leblond <eleblond@xxxxxx> > > because of that netfilter put it in INPUT-Chain? > and I wonder why it occurs randomly. These packets are often due to ghost connections: - packet from a connection "closed" in the middle due to link failure - packet from connection open by the people having the IP before you - ... > Should I switch to nf_conntrack_tcp_loose 0? You can, there should be no problem with that. BR, -- Eric Leblond <eric@xxxxxx> INL: http://www.inl.fr/ NuFW: http://www.nufw.org/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
