On Friday 2010-05-07 18:17, Richard Feng wrote: >>>From the documentation (from conntrack-tools.netfilter.org), >>>somewhere it says that "have to set >>>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to >>>zero".There is simply no 'netfilter' folder under my folder >>>'/proc/sys/net/ipv4'. Is this the problem? How could I fix it? >So 'conntrack -D' can not really cut current connections? It can >only delete entry from the state table? I just want to make sure - >from the document >"http://conntrack-tools.netfilter.org/manual.html#conntrack";. It >clearly said "Delete on entry, this can be used to block traffic >(you have to set >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to zero)". The documentation seems to be off here. If you only delete a ct entry, the next packet (even if a TCP ACK or something) will make a new ct with NEW as a ctstate. To really have a TCP/SCTP connection blocked after deletion of the ct entry, you have to only allow NEW ctstates with the initla TCP/SCTP packet (SYN/INIT). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
