On Fri, 15 Oct 2021 23:04:48 +0200 Florian Westphal wrote: > Florian Westphal <fw@xxxxxxxxx> wrote: > > 'track' is hard to implement correctly because of RELATED traffic. > > > > E.g. 'tcp dport 22 track' won't work correctly because icmp pmtu > > won't be handled. > > > > I'd suggest to try a conditional nf_ct_reset that keeps the conntrack > > entry if its in another zone. > > > > I can't think of another solution at the moment, the existing behaviour > > of resetting conntrack entry for postrouting/output is too old, > > otherwise the better solution IMO would be to keep that entry around on > > egress if a NAT rewrite has been done. This would avoid the 'double snat' > > problem that the 'reset on ingress' tries to solve. > > I'm working on this. > > Eugene, I think it makes sense if you send a formal revert, a proper > fix for snat+vrf needs more work. If this is still the plan can we get some acks on the revert please? https://patchwork.kernel.org/project/netdevbpf/patch/20211018182250.23093-2-crosser@xxxxxxxxxxx/
