On Wed, May 02, 2012 at 03:40:58PM +0200, Lukas Tribus wrote: > > > Note however that you will no longer be able to carry out any > > connection tracking logic on matched packes, including no NAT, > > syncookie protection, etc. > > Are you sure syncookie protection doesn't work with "-j NOTRACK"? I don't > believe syncookie has anything to do with conntrack at all, in fact, if > syncookies would be stateful, they would be totally useless.
You're right Lukas, syncookies are independant on conntrack, they're applied on the socket itself, as soon as the backlog is full. Willy
