Henrik Nordstrom writes: > The TCP tracking states are approximations of RFC793. However, > conntrack_tcp does not implement TCP, it only tries to derive the > states of the involved TCP endpoints by looking at the transmitted > packets. I understand that there are limits to what conntrack can do. However, someone has taken the trouble to compute assured, and this seems like a *much* better approximation to tcp established than what is actually presented as the intended approximation. I guess now that you can match on assured the right functionality is there, but the current tcp established still seems like false advertising.
While I'm at it, so what happens in case of NAT? The tuples are not the same in this case... Yep, that's what I realized later.