We have no explicit signal when a UDP stream has terminated, peers just
stop sending.
For unreplied UDP case, 10 seconds should be enough to cover
delayed replies, and for suspected stream connections a timeout
of two minutes is sane to keep NAT mapping alive a while longer.
It matches tcp
DNS resolvers that send both A and queries from same source port can
trigger stream mode prematurely, which results in non-early-evictable ct
for three minutes, even though request is done after a few milliseconds.
Add a two second grace period where we continue to use the ordinary
Since a pseudo-random starting point is used in finding a port in
the default case, that 'else if' branch above is no longer a necessity.
So remove it to simplify code.
Signed-off-by: Xiaozhou Liu
---
net/netfilter/nf_nat_proto_common.c | 2 --
1 file changed, 2 deletions(-)
diff --git
When adjusting sack block sequence numbers, skb_make_writable() gets
called to make sure tcp options are all in the linear area, and buffer
is not shared.
This can cause tcp header pointer to get reallocated, so we must
reaload it to avoid memory corruption.
This bug pre-dates git history.
On Wed, Dec 05, 2018 at 12:18:30PM +0100, Arturo Borrero Gonzalez wrote:
[...]
> I would apply the -legacy renaming patch regardless. We already did this
> with arptables after the agreement @ NFWS. In fact, me sending the patch
> now (instead of last summer) is just my lack of time to write it
On 12/4/18 11:57 AM, Pablo Neira Ayuso wrote:
> On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote:
>> On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote:
>>> On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote:
Hi,
Now that the iptables.git repo offers
On Wed, Dec 05, 2018 at 12:59:43AM +0200, Pavel Melnik wrote:
> Hi
>
> > I'd just change NF_IP6_PRI_RAW to -450 and use ip6tables rules in raw
> > table.
>
> We will try, thanks
Have a look at:
commit 902d6a4c2a4f411582689e53fb101895ffe99028
Author: Subash Abhinov Kasiviswanathan
Date: Wed