From: Henrik Nordstrom <hno@marasystems.com>
To: don-nf@isis.cs3-inc.com (Don Cohen)
Cc: netfilter-devel@lists.samba.org
Subject: Re: conntrack performance/DoS formula
Date: Tue, 2 Jul 2002 09:58:03 +0200 [thread overview]
Message-ID: <200207020958.03375@henrik.marasystems.com> (raw)
In-Reply-To: <15648.38427.807689.794217@isis.cs3-inc.com>
On Monday 01 July 2002 19.49, Don Cohen wrote:
> > The ESTABLISHED indicates the TCP state, UNREPLIED indicates the
> > conntrack state. This is a TCP session that has only seen ACK in
> > one direction, no packets in the other.
> >
> > Almost related note: The connection is not ASSURED.
>
> I'm having trouble making sense of your explanation above.
> This line is supposed to describe a single connection, right?
> Established as a tcp state means the three packet handshake is
> complete? But that seems to contradict the unreplied.
See the archives. This was discussed to death some days ago.
Summary in short: TCP state only indicates what kind of packets are
currently seen on the connection. This can be derived from a single
packet due to "connection pickup".
> Is there any doc for stuff like this?
> - how to read the lines above
> - what exactly these things (unreplied, assured, established ...)
> mean - can I match on ASSURED ?
ASSURED can be matched using the new conntrack match found in
patch-o-matic. Normally this flag is only used by conntrack to
garbagecollect invalid entries in case of a DoS attempt. There isn't
really much use of matching it in rulesets.
Regards
Henrik
next prev parent reply other threads:[~2002-07-02 7:58 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-27 20:46 conntrack performance/DoS formula Don Cohen
2002-06-28 6:23 ` Patrick Schaaf
2002-06-28 17:53 ` Don Cohen
2002-06-28 18:36 ` Patrick Schaaf
2002-06-28 19:03 ` Don Cohen
2002-06-28 19:35 ` Patrick Schaaf
2002-06-28 19:39 ` Patrick Schaaf
2002-06-28 21:10 ` Don Cohen
2002-06-28 21:28 ` Patrick Schaaf
2002-06-28 21:49 ` Don Cohen
2002-06-28 22:30 ` Don Cohen
2002-06-29 9:03 ` Patrick Schaaf
2002-06-29 16:48 ` Don Cohen
2002-06-29 17:22 ` Patrick Schaaf
2002-07-05 13:47 ` Harald Welte
2002-06-29 17:33 ` Patrick Schaaf
2002-06-29 9:29 ` Patrick Schaaf
2002-06-29 12:07 ` Patrick Schaaf
2002-06-29 12:34 ` Patrick Schaaf
2002-06-30 8:31 ` Patrick Schaaf
2002-06-30 19:40 ` Don Cohen
2002-07-01 8:07 ` Henrik Nordstrom
2002-07-01 17:49 ` Don Cohen
2002-07-02 7:58 ` Henrik Nordstrom [this message]
[not found] ` <15652.38084.704660.234319@isis.cs3-inc.com>
2002-07-04 21:53 ` Henrik Nordstrom
2002-07-05 7:08 ` Don Cohen
2002-07-05 11:41 ` Henrik Nordstrom
2002-07-06 2:49 ` Don Cohen
2002-07-02 14:55 ` Harald Welte
2002-07-02 14:40 ` Harald Welte
2002-07-02 16:32 ` Patrick Schaaf
2002-07-02 16:35 ` Patrick Schaaf
2002-07-02 16:53 ` Henrik Nordstrom
2002-07-02 17:48 ` Don Cohen
2002-07-02 18:31 ` Patrick Schaaf
2002-07-02 21:52 ` cttest-0.1 Patrick Schaaf
2002-07-03 4:15 ` cttest-0.1 Joakim Axelsson
2002-07-05 15:37 ` cttest-0.1 Martin Josefsson
2002-07-05 16:10 ` cttest-0.1 Joakim Axelsson
2002-07-05 16:54 ` cttest-0.1 Patrick Schaaf
2002-07-05 16:53 ` cttest-0.1 Joakim Axelsson
2002-07-06 6:10 ` cttest-0.1 Andrew Smith
2002-07-06 7:12 ` cttest-0.1 Patrick Schaaf
2002-07-06 15:23 ` cttest-0.1 Patrick Schaaf
2002-07-06 21:14 ` cttest-0.1 Joakim Axelsson
2002-07-06 22:41 ` cttest-0.1 Joakim Axelsson
2002-07-06 23:16 ` cttest-0.1 Joakim Axelsson
2002-07-07 2:30 ` cttest-0.1 Svenning Sorensen
2002-07-07 4:23 ` cttest-0.1 Joakim Axelsson
2002-07-07 5:46 ` cttest-0.1 Joakim Axelsson
2002-07-07 11:00 ` cttest-0.1 Henrik Nordstrom
2002-07-06 22:54 ` cttest-0.1 Joakim Axelsson
2002-07-02 14:38 ` conntrack performance/DoS formula Harald Welte
[not found] <20020701121404.B78724512@lists.samba.org>
2002-07-01 21:30 ` Don Cohen
2002-07-02 6:05 ` Patrick Schaaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200207020958.03375@henrik.marasystems.com \
--to=hno@marasystems.com \
--cc=don-nf@isis.cs3-inc.com \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.