On 5 June 2015 at 16:08, Florian Westphal <fw@xxxxxxxxx> wrote: > So just to make sure: > > #1 Linux send skb from (local_addr,daddr) > #2 r1 forwards packet to r2 > #3 Linux receives its own packet again, with (saddr local_addr, daddr) > #4 Linux creates a new conntrack entry since lookup for old one would > expect (local_addr is daddr) reply > #5 new conntrack is created, with PAT applied to resolve port clash > collision > #6 remote_addr sends reply, to local_addr > #7 we lookup conntrack, find the one without PAT translation applied > #8 we possibly toss the packet since PAT undo doesn't (yet) yield > skb with a socket. Yes > I'd recommend to fix this setup... If that can't be done, can you > suppress creation of 2nd conntrack entry? This configuration has been used by a small handful of our customers, we are probably going to get them to fix their routing tables. > It should be possible via "-t raw -s local_address -j CT --notrack". Considered this, but doesn't work for us in all cases (tproxy!). Thanks -- Daniel Collins Software Developer smoothwall daniel.collins@xxxxxxxxxxxxxx www.smoothwall.com Head Office : 1 John Charles Way, Leeds, LS12 6QA, United Kingdom Tech Office : Eagle Point, Little Park Farm Road, Fareham, PO15 5TD, United Kingdom US Office : 8008 Corporate Center Dr #410, Charlotte, NC 28226, United States Telephone: UK: +44 870-199-9500 US: +1 800-959-3760 Smoothwall Limited is registered in England, Company Number: 4298247 and whose registered address is 1 John Charles Way, Leeds, LS12 6QA United Kingdom. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
