Re: MASQ leak?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Thursday 2023-08-31 11:40, Ian Kumlien wrote:
>> >               type filter hook forward priority 0
>> >                ct state invalid counter drop # <- this one
>> >
>> >It just seems odd to me that traffic can go through without being NAT:ed
>> MASQ requires connection tracking; if tracking is disabled for a connection,
>> addresses cannot be changed.
>I don't disable connection tracking - this is most likely a expired
>session that is reused and IMHO it should just be added

"invalid" is not just invalid but also untracked (or untrackable)
CTs, and icmpv6-NDISC is not tracked for example (icmpv6-PING is).

Expired (forgotten) CTs are automatically recreated in the middle by default,
one needs extra rules to change the behavior (e.g. `tcp syn` test when

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux