Hi, one question about that: How can the host receive the SYN packet (and afterwards send the RST), if conntrack does not support TCP simultaneous open? Thanks Christoph On Sat May 30 2009 wrote Jozsef Kadlecsik: > [Back to your original mail.] > > Netfilter conntrack/NAT does *not* generate any kind of packet. If you see > RST segments, those are then sent by the receiver of the SYN packet > because there's no open socket yet. > > You can successfully build up simultaneous open connections only if you > use good timings: both hosts send the initial SYNs *before* the SYN from > the other side is delivered to them. Or, intentionally ignore (drop) the > RST segments. > > Adding TCP simultaneous open support to netfilter conntrack is not hard > but needs more testing before release. > > Best regards, > Jozsef -- Christoph Paasch www.rollerbulls.be --
Attachment:
signature.asc
Description: This is a digitally signed message part.