Hello, Sam Roberts a écrit : > I thought only a SYN packet should create a new connection, but PSH > packets seem to do it, too, now. [...] > Our assumption was that if we deleted the connection, that any further > TCP packets for that flow would have a ctstate of INVALID This behaviour is controlled by the net.netfilter.nf_conntrack_tcp_loose sysctl. Quoting Jozsef Kadlecsik : >> With tcp_loose enabled (default) conntrack accepts non-SYN packets as >>"NEW" ones, i.e. attempts to pick up connections from the middle. > This worked with 2.6.38, but doesn't work with 2.6.39.1. Does the above sysctl have the same value on both kernels ? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
