Connection problems on large high speed connections.

Stian B. Barmen stian at barmen.nu
Wed Apr 27 15:51:36 CEST 2005


> Then there were packets flagged as INVALID by conntrack, which are of
> course not matched by the states above. The reject line however matched
> them and dutifully generated the RST segment, which tore down the
> connection.

But what is the reason for the difference in behaviour for -j REJECT vs
-j RECECT --reject-with tcp-reset? Why does one kill the connection and
not the other?

> Enable logging invalid packets by
> 
> echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
> 
> and make sure ipt_LOG is loaded in.

Will do this :)

Best regards
Stian B. Barmen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2685 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20050427/7a05412f/smime.bin


More information about the netfilter mailing list