On Sat, 30 May 2009, Saatvik Agarwal wrote: > Now I am confused. The behavior I am seeing is that despite the timing being > correct, simultaneous open does not function as intended: > > A's SYN reaches B's NAT *after* B's SYN has left B's NAT and the same is > true of B - B's SYN reaches A's NAT *after* A's SYN has left A's NAT. This > is the correct case for simultaneous open. What I was originally saying was > that this does not work if one does iptables SNAT without DNAT (of course, > with a full-cone NAT it works; you don't even have to do a simultaneous > open). Yes, because netfilter/conntrack currently does not support TCP simultaneous open. It's on the way. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
