> > Log the INVALID packets. Also, it'd be good if you could capture them by > > tcpdump (please use the -Sv options at least). > > > > just discovered that if ip_conntrack_tcp_be_liberal is set to 1, my > problem also goes away. If you set /proc/sys/net/netfilter/nf_conntrack_log_invalid to 1 and check dmesg after some invalid packets are dropped, you might get some more output about how the packets are judged invalid. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
