Jan Engelhardt a écrit : > On Friday 2010-05-07 21:14, Pablo Neira Ayuso wrote: >>>> The documentation seems to be off here. If you only delete a ct >>>> entry, the next packet (even if a TCP ACK or something) will make >>>> a new ct with NEW as a ctstate. >>>> >>>> To really have a TCP/SCTP connection blocked after deletion of the ct >>>> entry, you have to only allow NEW ctstates with the initla TCP/SCTP >>>> packet (SYN/INIT). Jan made an interesting point. TCP conntrack has a liberal/strict sysctl, but I do not see any for SCTP conntrack. If I'm not mistaken, is SCTP conntrack of the liberal or strict kind ? >>> Yes, you need a well-formed stateful rule-set "to cut" the connection >>> (at least you have to add a rule to block traffic in INVALID stats). >> With "stats" I meant "state", and liberal tracking must be disabled as said. > > Which is the default anyway. :-) > > I think what was really meant was tcp_loose, not tcp_be_liberal. In my understanding, tcp_loose only allows conntrack to pick up connections from the middle, but packets are still INVALID until the required number of packets is seen and accepted. Am I wrong ? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
