于 2011年12月02日 20:58, Patrick McHardy 写道: > On 02.12.2011 06:32, Gao feng wrote: >> 于 2011年12月01日 18:20, Patrick McHardy 写道: >>> Yes, as I said, we could set up a NULL source mapping on the >>> conntrack of the original packet and let the REDIRECT through. >>> The user might have configured a source NAT rule though which >>> would become ineffective by this. >>> >> >> Hi Patrick: >> >> Yes,you are right. >> >> You mean we have no idea of the ICMP REDIRECT packet being droppen >> when nat is not finished? > > We can't determine whether we could let it through at that point. > The safe choice is to drop it. > -- Good Morning Patrick I got it,thank you very much. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
