On Tue, Dec 17, 2013 at 10:52:02PM +0800, Changli Gao wrote: > On Tue, Dec 17, 2013 at 9:01 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > > Indeed. You can configure those two NATs to make them more > > hole-punching friendly by dropping UDP packets to local closed ports, > > so that conntrack entry won't be created. > > Yes. But it requires the explicit configuration. Why not make it work > by default, although it may fail in some situation? Less is better > than none, isn't it? With this patch, an ICMP destination unreachable - fragmentation needed coming after a big UDP packet will trigger the removal of the UDP conntrack entry, that should not happen. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
