于 2011年11月28日 09:12, Gao feng 写道: > Hi > > In func nf_nat_icmp_reply_translation,the icmp packet will be droped when the nat is not finished. > pc A(whose gateway is C) send a icmp request to pc B. > When gw C receive this packet,it may return a icmp redirect packet to A. > BUT now,the icmp request packet has not go to POSTROUTING,So the nat is not finished. > Finally,the icmp redirect packet will be droped no matter the conn has nat or not. > > of course,the icmp redirect packet will be correct handled when nat is finished. > > Can somebody will give me some suggestion, > or should I just add a sysctl to let the user decide drop or receive this icmp redirect packet when nat is not finished? > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > or maybe we can move the ip_rt_send_redirect from FORWARD to POSTROUTING? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
