From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: [PATCH] MASQUERADE not flushing conntracks on ip change Date: Thu, 04 Nov 2004 23:36:58 +0100 Message-ID: <418AAF0A.4000201@trash.net> References: <20041102210440.GA1851@linuxace.com> <418999B2.3070600@trash.net> <20041104154355.GA8553@linuxace.com> <418A6D29.60004@trash.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: netfilter-devel@lists.netfilter.org Return-path: To: Henrik Nordstrom In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Henrik Nordstrom wrote: > On Thu, 4 Nov 2004, Patrick McHardy wrote: > >> Ok, I agree it is still useful, but using the inetaddr_notifier gives >> false positives when more than one IP address is added to the interface. > > > Which is not an environment MASQUERADE is designed for, so it should > be acceptable. But we do try to handle such an environment gracefully by using rt_gateway for the inet_select_addr call. > There is always the fallback to plain SNAT with ctnetlink for cleaning > up stale connections when needed. The problem is the opposite, living conntracks are killed when more than one IP address is added to the interface. Phil mentioned Router/switch/dslmodem/cablemodem power cycles. Contrary to what I said earlier, I don't see what value this optimization might have. Router/switch powercycle doesn't matter The optimization doesn't work for dslmodems (ppp devices), with cablemodems you don't loose your IP, except in the very unlucky situation that your DHCP lease times out while you are disconnected and you get a different one afterwards. Regards Patrick