From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 [PATCH 6/6] sysctl: Conntrack: Disable picking up loose TCP connections
Date: Thu, 18 Apr 2024 21:11:44 +0000
Message-ID: <20240418211144.3318938-6-michael.tremer@ipfire.org>
In-Reply-To: <20240418211144.3318938-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9169370399088345915=="
List-Id: <development.lists.ipfire.org>

--===============9169370399088345915==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/etc/sysctl.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 31a220e38..e35ee0dc4 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -35,6 +35,9 @@ net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0
 
+# Do not try to pick up existing TCP connections in conntrack
+net.netfilter.nf_conntrack_tcp_loose = 0
+
 # Enable netfilter accounting
 net.netfilter.nf_conntrack_acct = 1
 
-- 
2.39.2


--===============9169370399088345915==--