Florian Westphal <fw@xxxxxxxxx> writes: > Here is a better patch, renew only when responses are seen. > This means that once either initiator or responder ceases to send > packets entry will time out. It is common to syslog using UDP without having a response. It seems like this will allocate a new NAT entry every so often, changing the source port of any SNATted syslog. This in turn will mean extra sessions on any other firewalls the traffic might go through.