On Thursday 2023-08-31 11:40, Ian Kumlien wrote: >> > type filter hook forward priority 0 >> > ct state invalid counter drop # <- this one >> > >> >It just seems odd to me that traffic can go through without being NAT:ed >> >> MASQ requires connection tracking; if tracking is disabled for a connection, >> addresses cannot be changed. > >I don't disable connection tracking - this is most likely a expired >session that is reused and IMHO it should just be added "invalid" is not just invalid but also untracked (or untrackable) CTs, and icmpv6-NDISC is not tracked for example (icmpv6-PING is). Expired (forgotten) CTs are automatically recreated in the middle by default, one needs extra rules to change the behavior (e.g. `tcp syn` test when ctstate==NEW).
