[Bug 693] SNAT is failing to maquerade some TCP RST packets

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Mon Dec 5 12:39:25 CET 2011


http://bugzilla.netfilter.org/show_bug.cgi?id=693


Jozsef Kadlecsik <kadlec at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kadlec at netfilter.org




--- Comment #6 from Jozsef Kadlecsik <kadlec at netfilter.org>  2011-12-05 12:39:24 ---
The NAT engine ignores any packet with state INVALID, because there's no
reliable way to determine what kind of NAT should be performed. So the proper
way to prevent the leakage of private address space is to drop INVALID packets.

It's not a well documented feature, unfortunately.

If the conntrack engine fails to properly identify a packet and thus assings it
to the INVALID state, that's a bug. But too late packets do not fall to that
category.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.



More information about the netfilter-buglog mailing list