anyway, what is established but unreplied tcp connection? as far as I know, tcp cannot be established w/o reply %)
If a router is rebooted while the connection is active, after reboot it picks up an existing connection, but it has seen only one direction of traffic.
That’s what is being described here:
http://lists.netfilter.org/pipermail/netfilter-devel/2005-August/020981.html
In above link they also talk about an idea to handle situation more gracefully:
What’s left to do in 2.6 is to add them with lower timeout until they have
been replied as well (more specifically, ip_conntrack_tcp_loose
number of packets has been seen in both directions)
Anyway, I don’t think that reboot is my problem. Why? If you look at the pic I included above timeouts vary greatly. If it was due to reboot most of the unreplied established connections would occur around the same hour.
Yes, that’s what I meant
so, these packets should be captured by ‘connection-state=invalid’ rules?
p.s. my router’s uptime is 20d… I think, all connection established before the reboot should already be gone =)