On Mon, Dec 20, 2004 at 07:02:04PM +0100, Gerhard Lorbeer wrote: > Hi, > We are using and supporting Suse/Novell-Linux. > Recently we had built firewall's for a custumer-installation with nat. > We wondered about many drops and found the reason. > > It is a bug (feature?) in iptables, known already in previous, see: > http://www.mail-archive.com/cooker@xxxxxxxxxxxxxxxxxx/msg130593.html Most likely Novell/SuSE compiled iptables against header files of a different kernel than the kernel they ship in their distribution. > iptables-nat is not working with INVALID packets. Maybe it's an > Suse-Problem. I've informed Suse/Novell about this. Feel free to tell them to contact me directly. I'm Cc'ing the netfilter user list, since there might be others who are interested in this issue. > Friendly > Dr.-Ing. Gerhard Lorbeer > Dr.Lorbeer EDV-Service GmbH > Voetsdyck 8 > D-47638 Straelen -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
signature.asc
Description: Digital signature
