Jozsef Kadlecsik wrote: > Without TCP window tracking in conntrack, *any* RST segment (with proper > src/dst ip/port, of course) would destroy the conntrack entry. With window > tracking enabled (the default) we can maintain a window of the sequence > numbers which are accepted and processed by conntrack. Due to the fact > that the firewall sits in the middle and packets which have been seen by > the firewall may get lost or even reordered in transit to the destination, > it is inpossible to calculate the *exact* window sizes of the two end > points. Therefore the window in conntrack wider and conntrack may process > packets which otherwise are outside of the window of the receiver. Is this the same reason why the window tracking accepts pure acks without checking the sequence? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html