On 17.10.20 17:42, Alexandre Derumier wrote: > Hi, > thanks for this patch ! > > It could be interesting to see if it's working fine with > sysctl -w net/netfilter/nf_conntrack_tcp_loose=0 > > This is to avoid ack flood ddos (where random ack packets can add a > lot of conntrack entries) > https://2014.rmll.info/slides/356/day_1-1400-Jesper_Brouer-DDoS_protection_using_Netfilter_iptables.pdf > > Currently we can't enable it because when we migrate vms, the already > opened connected can't readd conntrack without a new syn.
That was the main intention for this series, i.e., your bug #2451 :) https://bugzilla.proxmox.com/show_bug.cgi?id=2451 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
