search for: trustiosity

...oduct: netfilter/iptables Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: nf_conntrack Assignee: netfilter-buglog at lists.netfilter.org Reporter: zrm at trustiosity.com The code intended to extend the conntrack timeout in the event of new traffic doesn't check the existing timeout, so if the existing timeout was already longer than the default, the timeout is reduced. Example scenario: Default UDP timeout is three minutes (after SEEN_REPLY). The timeout...

...netfilter/iptables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: NAT Assignee: netfilter-buglog at lists.netfilter.org Reporter: zrm at trustiosity.com Take a rule like this: ip6tables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1000::1:ffff:ffff-1000::2:0:0 The kernel was then observed choosing the address 1000::2:ffff:ffff as the translation, which is outside the specified range. This is the code in find_best_ips_proto() in nf_nat_...