It is "1" , so I will try with "0" to see fi this behavior changes ... ... and I am reading "the google" for "nf_conntrack_tcp_loose" setting for more details about who it determines what to "pick up mid-stream" Best regards André Paulsberg-Csibi Senior Network Engineer IBM Services AS Sensitivity: Internal -----Opprinnelig melding----- Fra: Florian Westphal <fw@xxxxxxxxx> Sendt: onsdag 9. mai 2018 07.00 Til: André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@xxxxxxxx> Kopi: 'netfilter@xxxxxxxxxxxxxxx' <netfilter@xxxxxxxxxxxxxxx> Emne: Re: iptables / conntrack - state engine question André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@xxxxxxxx> wrote: > I have LOG&DROP option rule for both states INVALID and NEW using the "ctstate" function , rule 19/20 and 22/23 . > However as the log shows over time (at bottom) I sometimes have packets LOG&DROP for the "ctstate NEW" that I suspect should not be matched there . > > I am assuming it is either a bug or a "feature" , so my question is > simply if this is "normal" or if this is something that may happen by > "fault" , and what is the "cause" of it and can it be "fixed" in the > state engine itself ( not with rules checking for SYN bit and such ) ( > as far as I understand the basis of a FireWall state engine , a TCP > packet should never have NEW STATE unless the SYN bit is set ) Depends on net.netfilter.nf_conntrack_tcp_loose setting. If 1, it will also pick up connections mid-stream. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
