I would like to put in some words. Obviously the problem is in conntrack code. IMHO, to solve this issue the code should track tcp sequence number and check it correctness on receiving RST packet and on the following decision about removing the conntrack entry. 2009/5/21, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>: > > Because connlimit/connbytes rely on conntrack, the latter should be > "fixed". However I do not see any way to make it resistant against such > attacks: if we shrink the window (by which alogrithm?) we may block valid > RST segments and thus cause connections to hang instead of termination. > > Best regards, > Jozsef -- Best regards Anatoly Muliarski -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html