On Fri, 5 Oct 2018, Brian J. Murrell wrote: > Let me ask... Is my original theory valid? Will conntrack throw away > the idea of an ESTABLISHED session as soon as the last FIN passes the > connection and if the host were to subsequently receive any straggling > packets (i.e. held up in a router or something), would they get logged > as I am seeing it or does conntrack suppress logging those for some > period of time after the TCP session is closed with dual FIN and/or RST > packets? Conntrack categorizes the connections as NEW, ESTABLISHED, etc. but internally the TCP states are pretty much followed. So we have got LAST_ACK (FIN seen after FIN) and TIME_WAIT (last ACK seen) internal states as well with their specific timeout values. A tcpdump recording with the netfilter logs is required to tell what's really happened: too late ACKs, forged packets, wrong seq/ack numbers due to poorly handled SACK somewhere in the traffic path, etc. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary
