On Wed, 2009-10-07 at 12:26 +0200, Jozsef Kadlecsik wrote: > As I wrote at netfilter-devel around May this year, > > - According to the terminology of RFC 3489, netfilter implements port > restricted cone NAT. If the --random flag is specified to the > SNAT/MASQUERADE/... targets, it's better described as a symmetric NAT. Hmm, seems I got it completely wrong, sorry about that. use IO::Socket; my $HOSTNAME="www.leo.org"; my $PORT1="33333"; my $PORT2="44444"; my $handle = IO::Socket::INET->new(Proto => 'udp', LocalPort => 22222); my $ipaddr = inet_aton($HOSTNAME); my $portaddr1 = sockaddr_in($PORT1, $ipaddr); my $portaddr2 = sockaddr_in($PORT2, $ipaddr); send($handle, "test", 0, $portaddr1); send($handle, "test", 0, $portaddr2); results in the following two conntack entries (port restricted) => udp 17 25 src=<INTERNAL> dst=80.190.158.9 sport=22222 dport=33333 packets=1 bytes=32 [UNREPLIED] src=80.190.158.9 dst=<EXTERNAL> sport=33333 dport=22222 packets=0 bytes=0 mark=0 use=1 udp 17 25 src=<INTERNAL> dst=80.190.158.9 sport=22222 dport=44444 packets=1 bytes=32 [UNREPLIED] src=80.190.158.9 dst=<EXTERNAL> sport=44444 dport=22222 packets=0 bytes=0 mark=0 use=1 And in the following with --random (symmetric) => udp 17 28 src=<INTERNAL> dst=80.190.158.9 sport=22222 dport=44444 packets=1 bytes=32 [UNREPLIED] src=80.190.158.9 dst=<EXTERNAL> sport=44444 dport=3407 packets=0 bytes=0 mark=0 use=1 udp 17 28 src=<INTERNAL> dst=80.190.158.9 sport=22222 dport=33333 packets=1 bytes=32 [UNREPLIED] src=80.190.158.9 dst=<EXTERNAL> sport=33333 dport=6327 packets=0 bytes=0 mark=0 use=1 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html