Hi, We find that our SNAT sometimes forwards un-NATed packets out as-is. This behavior confused us for a while until we saw this in net/netfilter/nf_nat_core.c: ct = nf_ct_get(skb, &ctinfo); /* Can't track? It's not due to stress, or conntrack would * have dropped it. Hence it's the user's responsibilty to * packet filter it out, or implement conntrack/NAT for that * protocol. 8) --RR */ if (!ct) return NF_ACCEPT; The code and comment are very clear. So it is not kernel's responsibility, at least in RR's point of view. We added filtering shortly afterwards. But as normal users, we really want a NAT server which can work out of box as expected from users' point of view. That said, if any packet that is bad (in our case, orphaned SYN-ACK and FIN packets going out without getting a chance to setup conntrack), it's better to drop them in kernel by default. Is there any possibility to change this default behavior? Any comments on this is appreciated. Thanks, Xiaozhou