On Friday 2008-05-09 18:34, Andrea Ranieri wrote: >On 5/9/08, Grant Taylor wrote: > >> This really makes me believe that you are dealing with what connection >> tracking thinks is an on going existing established flow / connection. >> Remember that the NAT table only sees the first packet of a connection. >> So if you are altering your NAT table after a connection is >> established it will name make any difference to the existing connection. >> This is further exemplified by you testing .3-.5 and seeing them start >> to change and then continue doing what they were when you flush your NAT >> table. I think you will find that if you stop your connections, wait a >> few minutes, and then start them back up they will behave as expected. > >Yes, that sounds as a good explanation of this phenomenon. >However this behavior is not what I want/expect from netfilter. I'm >looking for a simple, straight-forward, connectionless 1to1 IP NAT. >And, of course, i'm looking for something that can be enabled/disabled >without waiting minutes! On a global scale you can set /proc/sys/net/netfilter/nf_conntrack_generic_timeout . There has been a module (or a group of them) called TIMEOUT or actually CONNTRACK by Phil Oester and Pablo Neira Ayuso with which you can set the ct timeout per connection. That's one way. Another is to use the RAWNAT target. But tc is an obscure thing. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
