Hi Florian, On Thu, May 3, 2018 at 7:03 AM, Florian Westphal <fw@xxxxxxxxx> wrote: > I'm sorry for suggesting that. > > It doesn't work, because of NAT. > NAT rewrites packet content and changes the reply tuple, but the tuples > determine the hash insertion location. > > I don't know how to solve this problem. No problem. This has anyway served as a good exercise for getting more familiar with the conntrack/nat code in the kernel. I did some more tests and I see that on my router (or routers actually), just replacing the ct solves the issue. While not a perfect solution, the situation is improved considerably. Do you think a patch where the ct is replace would be acceptable, or would upstream rather wait for a "proper" fix to this problem? When replacing the ct, it is at least possible to work around the problem in userspace, while without replacing ct we are stuck with the original entry. BR, Kristian -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
