On 02.12.2011 06:32, Gao feng wrote: > 于 2011年12月01日 18:20, Patrick McHardy 写道: >> Yes, as I said, we could set up a NULL source mapping on the >> conntrack of the original packet and let the REDIRECT through. >> The user might have configured a source NAT rule though which >> would become ineffective by this. >> > > Hi Patrick: > > Yes,you are right. > > You mean we have no idea of the ICMP REDIRECT packet being droppen > when nat is not finished? We can't determine whether we could let it through at that point. The safe choice is to drop it. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
