On Fri, 2003-09-19 at 17:28, Nigel Metheringham wrote: > Having looked closer at this I find there is an ICMP dest unreach packet > emitted from my box back to the originator. However inside the packet > the SNAT has been undone, but the DNAT is still in place. > > Any ideas how I can fix this...? > This is all on a 2.4.21 kernel. Gah, I hoped we had fixed all these problems. Getting all the corner-cases right isn't as easy as one thinks when we perform multiple translations. I've looked at the code responsible for the rewriting of the inner ipheader and it looks ok to me. Is the NAT-rules on the machine that has the tunnel? If they are that might explain a thing or two since the code looks correct for the case where the packets pass through and another machine down the pipe sends the icmp message back. -- /Martin
