On 7/8/19 11:51, Florian Westphal wrote:
Anton Danilov <littlesmilingcloud@xxxxxxxxx> wrote:
To avoid this issue you can tune the conntrack behaviour with sysctl:
sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal=1
sysctl -w net.netfilter.nf_conntrack_tcp_loose=1
Yes, a better alternative in this case though would be to
NOTRACK packets from/to lo interface.
Its kind of silly that conntrack tracks them be default IMO.
Is it really that different? Suppose you use "-m cpu" with REDIRECT for
load balancing, or want to use CONNMARK for anything, or restrict some
local process to accepting new connections but not initiating them, or
initiating new connections but not accepting them. Same for loopback as
anything else.
