Thanks Jan for your answer - I still got some questions in the following. On May 7, 2010 12:55:44 am Jan Engelhardt wrote: > On Friday 2010-05-07 01:51, Richard Feng wrote: > > >Hi, > > > > >However, the connection is still active - is this the correct behaviour? > > Yes. So 'conntrack -D' can not really cut current connections? It can only delete entry from the state table? I just want to make sure - from the document "http://conntrack-tools.netfilter.org/manual.html#conntrack";. It clearly said "Delete on entry, this can be used to block traffic (you have to set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to zero)". > >>From the documentation (from conntrack-tools.netfilter.org), somewhere it says > >that "have to set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to > >zero".There is simply no 'netfilter' folder under my > >folder '/proc/sys/net/ipv4'. Is this the problem? How could I fix it? > > Upgrading to a newer kernel (you're probably running some stoneage > thing). Thank you for your pointer at a later reply - I found it now at /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal. And it was set "0". Regards, Richard -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
