|
On Tuesday 08 October 2002 01:01, Roberto Nibali wrote:
> You can still remove conntrack entries with a well placed RST flag. Just
> send a packet with the matching template <srcIP, srcPORT, dstIP,
> dstPORT> and the RST bit set. Will happily remove conntrack entries.
> Only the TCP window tracking patch will fix this issue. I don't even
> start talking about stateful filtering before this.
It's getting a bit off-topic here, so feel free to move this thread along to
the netfilter list (we both seem to be reading it ;-), but what exactly does
the window tracking patch address?
Since you call it a 'patch' I take it it's not in the vanilla kernels from
kernel.org, so chances that we're running it are very slim. I wonder if we
want to patch the kernel now or not...
--
Martijn
PS: Downside of taking this to netfilter is that that list is a bit slow, and
this list is fast - it takes over an hour before posts on netfilter actually
appear in you inbox :(
|
