> Fra: Henrik Nordstrom [mailto:hno@xxxxxxxxxxxxxxx] > Sendt: 3. oktober 2005 20:00 > Til: Henning Riis Rasmussen > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > Emne: Re: Masquerade and dhcp lease renewal - what happens? > > On Mon, 3 Oct 2005, Henning Riis Rasmussen wrote: > > > My ISP (Telia, Sweden) uses a DHCP lease time of 10 minutes > leading to > > constant renewal of the lease. > > > > If I use "-j masquerade" instead of "-j snat" I cannot have any > > longlived connections (they all die with "new not syn" or > "invalid"). > > Seems your DHCP server is resetting interface (down/up) on > each renewal then. > > Does "tcpdump -i eth0" surive a renewal? If not you should > defeintely look into using another DHCP client. Yes, tcpdump does survive and any longlived connections initiated by the firewall itself (e.g. a large download) survives too, while the same download attempted from any client on the LAN dies. The DHCP client I'm using is the one from isc.org (but I suspect Gentoo modifies its default behaviour). > > > What is supposed to happen to the masquerade nat entries > when a dhcp > > renewal happens, particularly one that doesn't actually > change the IP > > address to a new one? > > In 2.6.13 the connections is cleared from conntrack if the IP > address is deleted or if the interface is brought down. I just upgraded the kernel to 2.6.12.5 but that didn't change anything. > > Regards > Henrik >
