> However, I've tried to get it to work and must be missing something subtle. More diagnostics on this approach not working out: If I watch the conntrack event log with conntrack -E -p udp The iptables -t nat... method logs this: [NEW] udp 17 30 src=10.0.1.7 dst=10.0.1.8 sport=5000 dport=5001 [UNREPLIED] src=10.0.1.7 dst=10.0.1.8 sport=5003 dport=5002 But the conntrack -I ... method logs this: [UPDATE] udp 17 120 src=10.0.1.7 dst=10.0.1.8 sport=5000 dport=5001 [UNREPLIED] src=10.0.1.7 dst=10.0.1.8 sport=5003 dport=5002 mark=0 (note that I double checked that there were no previously existing udp entries in the table so I can't explain the update vs new). -g -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
