On Wed, 20 May 2009, Philip Craig wrote: > Jozsef Kadlecsik wrote: > > Without TCP window tracking in conntrack, *any* RST segment (with proper > > src/dst ip/port, of course) would destroy the conntrack entry. With window > > tracking enabled (the default) we can maintain a window of the sequence > > numbers which are accepted and processed by conntrack. Due to the fact > > that the firewall sits in the middle and packets which have been seen by > > the firewall may get lost or even reordered in transit to the destination, > > it is inpossible to calculate the *exact* window sizes of the two end > > points. Therefore the window in conntrack wider and conntrack may process > > packets which otherwise are outside of the window of the receiver. > > Is this the same reason why the window tracking accepts pure acks > without checking the sequence? You mean, when the ack flag is not set in the packet, we handle it as it was set and had a proper ack field? What else could be done? :-) Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html