Hi, I'm puzzled trying to understand the following behavior, appreciate it if you can help me to understand better how this works. The setup is like this: Client --- Router --- Server - Router DNATs to a Virtual IP and Port of the Server. - Client establishes a permanent connection to the Virtual IP. - Router adds a REJECT rule in the FORWARD hook for the Server IP I expect the REJECT to match the established connection, but the client keeps reaching the Server using the existing connection. The packets of the established connection do not show up on the traces using nftrace. Is it possible to "DROP/REJECT" the established connection ? I've created a selftest to reproduce this behavior, please find it attached.
Attachment:
0001-selftests-netfilter-conntrack-does-not-shadow-reject.patch
Description: Binary data
