[Bug 77] a bug in the chain PREROUTING of the table nat

bugzilla-daemon@netfilter.org bugzilla-daemon@netfilter.org
Mon, 14 Apr 2003 09:43:39 +0200


https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=77

laforge@netfilter.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|critical                    |trivial
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID
            Summary|a bug in the chain          |a bug in the chain
                   |PREROUTING of the table nat |PREROUTING of the table nat



------- Additional Comments From laforge@netfilter.org  2003-04-14 09:43 -------
Please try to understand how netfilter works before filing a bug report.

The described behaviour is perfectly normal.  The 'nat' table is traversed for
every _first_ packet of a connection.  You can delete all nat rules, but
already-established connections will remain active (and NATed).

Due to the connectionless operation of UDP, we cannot tell UDP sessions apart if
they use the same (scrip,srcport,dstip,dstport) tuple.  

Apart from that, your -t nat -I PREROUTING -j DROP rule will also only consider
the first packet of every connection.

It seems like you have some misunderstanding about the semantics.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.