Hi! I've just committed an experimental patch to the extra section of patch-o-matic, the 'tcp-conntrack-nopickup.patch'.
This is an EXPERIMENTAL patch making TCP connection tracking behave more conservative. If this option is enabled, it will only track connections which are started after ip_conntrack.o was loaded (or your firewall booted). It does no attempt on picking up old, previously established TCP connections. This might help in some rare cases where you have problems with ACK flooding filling up your connection tracking tables because the flooded client is not responding fast enough with RST packets. If unsure, say `N'. Please use this patch with extreme caution. It might break a lot of stuff :) -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
