On Mon, 2024-09-30 at 11:51 +0200, Pablo Neira Ayuso wrote: > > These are packets logged through 'ct state invalid', right? Yes, I would say that is a reasonable statement. But they are only just recently invalid, as of the closing of the valid "session" just a few packets before. So while I want to still log generally invalid packets (i.e. an ACK- only packet not part of an existing session, or an RST not part of a an actively closing session, etc.), I don't want to log packets that are only invalid because they are "stragglers" (i.e. were delayed in the network, etc. and only arrive after the close of the session) from a recently (let's say, 30 or maybe even 60 seconds since) closed session. Cheers, b.
