Hi Brian:
See my comments.
On 2011-11-24 19:30, Brian J. Murrell wrote:
On 11-11-24 04:46 AM, lu zhongda wrote:
Hi Brian:
Hi Lu,
At least, I hope iptables can confirm whether a connection is idle
or not by its rules, this is the key point of my problem.
Perhaps there is a module which can do this but perhaps not because what
you are proposing will actually break protocols based on TCP.
Agreed.
I have used conntrack of iptables, it seems not work.
iptables' conntrack works exactly as it should. When it sees a TCP
session go to ESTABLISHED (i.e. TCP 3-way handshake is completed) it
allows packets on that session and continues to do so until the session
is destroyed with FIN and/or RST packets.
To start dropping/rejecting packets before that TCP session is shutdown
will break the protocol that is running on the socket because it expects
the session to still be open.
You didn't answer my other question though, which is why do you think
you need to be dropping idle, yet still ESTABLISHED sessions (and
breaking higher level protocols when you do that)?
The need to drop idle connection comes from one technical support request:
I need to confirm whether iptables can drop idle connection just like
some other commercial products can do.
I need to confirm whether iptables can do it, if it can ,what is the
rule set.
If not then that is. I have no strong appeal that it can do it.
Thanks for your feedback.
b.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
