On Thursday 2012-11-15 01:15, Jörn Krebs wrote: >Hi, > >I think you don't get the point. I really think I don't. Which means your description was too convoluted. >I WANT A SYMMETRIC NAT!!!! -> Why doesn't anybody understand that? >I mean I am on the netfilter list. Everyone here should know what I >mean with the term symmetric NAT NF does not use these terms, so no. WP also warns about the problems with the term in http://en.wikipedia.org/wiki/Symmetric_NAT . Fact is outgoing streams don't magically add mappings for incoming ones, unless you use a nf_conntrack_* module that explicitly does it. There's no nf_conntrack_stun, so if your STUN exchange with 216.x.y.z:3478 causes a non-participant, 134.76.13.21, to suddenly start sending packets to 114.x.y.z:44608, it's only logical all signs show a red warning light "unsolicited connection attempt". >I more and more got the impression, that you are developing in your >own little world, and not the world where we have different types of >NAT. We don't even think "types of NAT". We think in absolute {a:b, c:d} tuples. Symmetric relation x R y => y R x makes everybody's heads hurt, because it is not obvious if x is {ip,port} or {ip,port,ip,port} or just {port,port}. Dammit, I wasted too much time on this. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
