On Thu, Aug 31, 2023 at 11:53 AM Jan Engelhardt <jengelh@xxxxxxx> wrote: > On Thursday 2023-08-31 11:40, Ian Kumlien wrote: > >> > type filter hook forward priority 0 > >> > ct state invalid counter drop # <- this one > >> > > >> >It just seems odd to me that traffic can go through without being NAT:ed > >> > >> MASQ requires connection tracking; if tracking is disabled for a connection, > >> addresses cannot be changed. > > > >I don't disable connection tracking - this is most likely a expired > >session that is reused and IMHO it should just be added > > "invalid" is not just invalid but also untracked (or untrackable) > CTs, and icmpv6-NDISC is not tracked for example (icmpv6-PING is). This was normal udp and tcp traffic... > Expired (forgotten) CTs are automatically recreated in the middle by default, > one needs extra rules to change the behavior (e.g. `tcp syn` test when > ctstate==NEW). I can do more debugging about the traffic that goes haywire, I have all the logs at home. But with: nf_conntrack_tcp_loose - BOOLEAN 0 - disabled not 0 - enabled (default) If it is set to zero, we disable picking up already established connections. Which is the default value: cat /proc/sys/net/netfilter/nf_conntrack_tcp_loose 1 IMHO iI shouldn't have to fudge things to make conntrack pick things up again.
