This is a development question, please move this discussion to netfilter-devel. At least if you want to receive some reasonable answers ;) On Thu, Sep 25, 2003 at 11:26:20AM +0200, n_dahlem@xxxxxxx wrote: > /proc/net/ip_conntrack lists both connections (answer&reply) as unreplied. > Can someone explain to me why the reply is seen as a new connection ? And > how I can get NAT to expect answers from randomly selected high ports ? this sounds like the connection is not symmetrically. The conntrack core assumes that connections are always symmetrically: request: (srcip x, scrport a) -> (dstip y, dstport b) reply: (srcip y, srcport b) -> (dstip x, dstport a) If this is not the case, you are in serious trouble. > regards > Nikolai Dahlem > -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00580.pgp
Description: PGP signature
