Jan Engelhardt wrote: > On Friday 2010-05-07 18:17, Richard Feng wrote: > >>> >From the documentation (from conntrack-tools.netfilter.org), >>>> somewhere it says that "have to set >>>> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to >>>> zero".There is simply no 'netfilter' folder under my folder >>>> '/proc/sys/net/ipv4'. Is this the problem? How could I fix it? > >> So 'conntrack -D' can not really cut current connections? It can >> only delete entry from the state table? I just want to make sure - >>from the document >> "http://conntrack-tools.netfilter.org/manual.html#conntrack";. It >> clearly said "Delete on entry, this can be used to block traffic >> (you have to set >> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to zero)". > > The documentation seems to be off here. If you only delete a ct > entry, the next packet (even if a TCP ACK or something) will make > a new ct with NEW as a ctstate. > > To really have a TCP/SCTP connection blocked after deletion of the ct > entry, you have to only allow NEW ctstates with the initla TCP/SCTP > packet (SYN/INIT). Yes, you need a well-formed stateful rule-set "to cut" the connection (at least you have to add a rule to block traffic in INVALID stats). Probably this is not clear enough in the doc. I can write a patch for this or alternatively accept one. Thank you for the comments. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
