> > >> >Those are, with high probabilty, late FIN packets: the belonging > conntrack > > >> >entry has already been deleted and thus conntrack cannot find the > matching > > >> >stream, therefore it sets as INVALID. > > >> > > >> Should not FIN retransmissions ideally be classified as ESTABLISHED (or > > >> perhaps a new state) as long as the final ACK has not been seen? > > > > > >The final ACK might have already been seen. A full tcpdump could tell us > > >what happened exactly. > > > > But perhaps NFCT should assume that it did not reach its destination > > and should accept more FIN-ACKs until the MSL has elapsed. > > The price is to waste the memory, by keeping every conntrack entry longer. > > We should receive more reports that the current default values are not > appropriate. I observed the FIN-repeat problem also but thought, that increasing nf_conntrack_tcp_timeout_fin_wait fixed it. Since it was a dirty trial and error hack, I failed to find docu on that parameter and did not want to go into kernel for that old machine, this just might have been superstition. Roman -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
