Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > This is how it is implemented today and it works, but it does not > > handle process restarts per example, or is not resilient to errors. > > The implementation is also much more complex because we need to > > implement all the possible edge cases that can leave stale entries > > It should also be possible to shrink timeouts on restart via conntrack -U > which would be similar to the approach that Florian is proposing, but from > control plane rather than updating existing UDP timeout policy. The time and effort needed to make something as basic as NAT work properly is jus silly. Lets fix conntrack so this "just works".