On Wed, Apr 17, 2019 at 04:02:44PM +0800, Xiaozhou Liu wrote: > Hi, > > We find that our SNAT sometimes forwards un-NATed packets out as-is. This > behavior confused us for a while until we saw this in > net/netfilter/nf_nat_core.c: > > ct = nf_ct_get(skb, &ctinfo); > /* Can't track? It's not due to stress, or conntrack would > * have dropped it. Hence it's the user's responsibilty to > * packet filter it out, or implement conntrack/NAT for that > * protocol. 8) --RR > */ > if (!ct) > return NF_ACCEPT; > > The code and comment are very clear. So it is not kernel's responsibility, > at least in RR's point of view. We added filtering shortly afterwards. > > But as normal users, we really want a NAT server which can work out of box as > expected from users' point of view. That said, if any packet that is bad (in > our case, orphaned SYN-ACK and FIN packets going out without getting a chance > to setup conntrack), it's better to drop them in kernel by default. > > Is there any possibility to change this default behavior? You can just drop invalid traffic via policy.
