On Fri, 7 May 2010, Pascal Hambourg wrote: > > I think what was really meant was tcp_loose, not tcp_be_liberal. > > In my understanding, tcp_loose only allows conntrack to pick up > connections from the middle, but packets are still INVALID until the > required number of packets is seen and accepted. Am I wrong ? No, the packets are set to the usual states, there's no packet counting. With tcp_loose enabled (default) conntrack accepts non-SYN packets as "NEW" ones, i.e. attempts to pick up connections from the middle. With tcp_be_liberal enabled (default is disabled) out of window packets are not marked as INVALID. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
