Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > I don't think letting the packet go through is a good idea. Not sure > NAT will work fine, packets would go through being unmangled? I think > we should still drop the packet until we fix this. Unfortuntely this is still a band-aid solution, nfqueue + bridge doesn't work when mcast/flood is involved. Problematic cases are NAT (several bindings on same conntrack simultaneously) and extension realloction. They are not a problem in most cases due to prealloced space and because extensions are commonly added before bridge starts to clone for flooding. For NAT, the race window is small and iirc we changed nat core to just warn in case the nat bit is already set. I think it will work fine in most cases with this patch (i.e., witch accept verdict) though; it is better than what we do now.