Hello,
lukas@xxxxxxxxxxx a écrit :
[...]
Exactly. I can see only FIN packets which are not translated. After
looking into conntrack table, I think MASQ ignores FIN packets that are
missing in conntrack table (Is it INVALID or NEW state?).
[...]
I test it also on kernel 2.4.32-6 and its bad too.
Are you sure ? I'm surprised. Where did you get this kernel from ?
I just tested on a custom kernel 2.4.32 built from kernel.org sources
(almost standard, just a few Netfilter patch-o-matic add-ons). And my
conclusion is that unexpected TCP FIN or RST packets are classified NEW
by the connection tracking, thus creating an entry in the conntrack/NAT
table /proc/net/ip_conntrack. However, unexpected ICMP packets such as
Echo Reply or Destination Unreachable are classified INVALID.
