于 2011年11月24日 17:46, lu zhongda 写道: > The timeout is defined in //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/ , which is defaulted to 5 days, I change it to a short value for testing, such as 1 min. > the linux shell command is: echo "60" > //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/ > The timeout for ESTABLISHED type item does works, and the item is removed after timeout, however the connection is not blocked or dropped at all. Hi zhongda. How about echo 0 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
