On Saturday 2010-05-08 22:33, Jozsef Kadlecsik wrote: >On Fri, 7 May 2010, Pascal Hambourg wrote: > >> > I think what was really meant was tcp_loose, not tcp_be_liberal. >> >> In my understanding, tcp_loose only allows conntrack to pick up >> connections from the middle, but packets are still INVALID until the >> required number of packets is seen and accepted. Am I wrong ? > >No, the packets are set to the usual states, there's no packet counting. > >With tcp_loose enabled (default) conntrack accepts non-SYN packets as >"NEW" ones, i.e. attempts to pick up connections from the middle. > >With tcp_be_liberal enabled (default is disabled) out of window packets >are not marked as INVALID. And for grand completeness on the reader's behalf: an out-of-window packet can not occur if there is no previous ct entry (for the same tcp connection) whose window values could be compared to to see if there is an out-of-window condition. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
