>
> Unlike SNAT, isn't the MASQUERADE target supposed to delete obsolete
> masqueraded conntrack entries when the related interface goes down - or maybe
> when it goes up again with a different address ?
You are right..
if (event == NETDEV_DOWN) {
/* Device was downed. Search entire table for
conntracks which were associated with that device,
and forget them. */
IP_NF_ASSERT(dev->ifindex != 0);
ip_ct_iterate_cleanup(device_cmp, (void *)(long)dev->ifindex);
}
>> > How can I force iptables to use ppp0's real IP address as sender IP in
>> > outgoing packets?
>>
>> Flush the conntrack table when ppp0 has gone up (yes, up)
>
> Why not when ppp0 has gone down ?
Er, whenever the status changes (both up and down).
Jan Engelhardt
--
