Pablo Neira Ayuso wrote:
Roman Fiedler wrote:
Thanks for the patch. When I've played with the same problem at home I've
guessed that it is something with sequence numbers and that setting
tcp-liberal
in a netlink test application is a workaround for the DROP. But I did not
bring it to that point that I could create a clean patch because there
were
still some loose ends. Perhaps someone could help me to fix some of
these:
a) When conntrackd inserts the entries, does it set the liberal also?
If yes,
is it correct, that a failover via conntrackd would disable sequence
number
tracking for all existing entries?
Yes, this is the way it works by now, but it would be easy to make a
patch not to disable it. I'm going to prepare one now that
conntrack-tools 0.9.14 is out. I'll let you know, you may want to help
me doing some testing.
BTW, conntrackd does not set to liberal other entries that already
exists in the kernel (in case that you have some active-active setup).
So only the injected entries are set to liberal by now. I think that
this replies to the second part of your question, right?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html