I filed a bug for this: https://bugzilla.netfilter.org/show_bug.cgi?id=1115 On 21.01.2017 16:29, Mark Coetser wrote: > I am seeing this across multiple firewalls that have vlan setups for the > external links. > > Thank you, > > Mark Adrian Coetser > mark@xxxxxxxxxxxx > > > > On 21 January 2017 14:52:41 Andre Cunha <anovaescunha@xxxxxxxxx> wrote: > >> I had a similar issue, and in my case I found out that for some reason >> the >> external bridge interface had the MAC address as the internal bridge, and >> this of course was messing with the NAT process. >> >> Regards >> Andre >> >> >> On Sat, Jan 21, 2017 at 1:33 AM, Dennis Jacobfeuerborn < >> dennisml@xxxxxxxxxxxx> wrote: >> >>> Hi, >>> when I do a tcpdump of these packets and then immediately look into the >>> conntrack table I can find no associated entries there suggesting that >>> the entries have indeed been removed right away without any sort of >>> timeout. >>> >>> Regards, >>> Dennis >>> >>> On 20.01.2017 16:23, Llorente Santos Jesus wrote: >>> > Hi, >>> > I wouldn't think that is the problem...as far as I know conntrack sets >>> specific timeouts on the connections to match with the actual conntrack >>> state. >>> > You can see these via >>> > sysctl -a | grep net.netfilter.nf_conntrack_ >>> > >>> > Best, >>> > Jesus >>> > >>> > -----Original Message----- >>> > From: Dennis Jacobfeuerborn [mailto:dennisml@xxxxxxxxxxxx] >>> > Sent: 20 January 2017 12:37 >>> > To: Mark Coetser <mark@xxxxxxxxxxxx>; Llorente Santos Jesus < >>> jesus.llorente.santos@xxxxxxxx>; netfilter@xxxxxxxxxxxxxxx >>> > Subject: Re: intermittent nat issue >>> > >>> > On 20.01.2017 10:47, Mark Coetser wrote: >>> >> Hi Llorente >>> >> >>> >> I did run conntrack -F to check that but still had the unnatted >>> >> packets traversing the interface. >>> >> >>> > >>> > Hi, I'm seeing this as well on our systems. One thing I notice is that >>> all packets either the RST of FIN flag set. Could this be some sort >>> of race >>> condition where Conntrack removes the connection from the table >>> because of >>> the flags and as a result the final packet will not get >>> masqueraded/nat'ed? >>> > >>> > Regards, >>> > Dennis >>> > >>> > N?????r??y???b?X??ǧv?^?){.n?+???z???{ay? ʇڙ?,j ??f???h???z? ?w??? >>> ???j:+v???w?j?m???? ????zZ+?????ݢj"??!tml= >>> > >>> >>> -- >>> To unsubscribe from this list: send the line "unsubscribe netfilter" in >>> the body of a message to majordomo@xxxxxxxxxxxxxxx >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
