On Fri, Sep 07, 2018 at 04:33:33PM +0800, Tan Hu wrote: > We configured iptables as below, which only allowed incoming data on > established connections: > > iptables -t mangle -A PREROUTING -m state --state ESTABLISHED -j ACCEPT > iptables -t mangle -P PREROUTING DROP > > When deleting a secondary address, current masquerade implements would > flush all conntracks on this device. All the established connections on > primary address also be deleted, then subsequent incoming data on the > connections would be dropped wrongly because it was identified as NEW > connection. > > So when an address was delete, it should only flush connections related > with the address. Applied to nf-next, thanks.
