On Tue, 2016-12-06 at 08:21 -0800, Tom Eastep wrote: > > This is a common problem with UDP. A packet arrives on tun0 before > the > DNAT rule is in place, and the resulting conntrack table entry > persists so long as matching packets continue to arrive. You can > remove the offending entry using the 'conntrack' utility.
Ahhh. Now that you describe it, it makes complete sense, and yes, indeed, removing the conntrack entry resolved it. Cheers, b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
