-
Notifications
You must be signed in to change notification settings - Fork 780
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop invalid conntrack packets #816
Closed
Labels
Comments
mccv1r0
added a commit
to mccv1r0/plugins
that referenced
this issue
Jan 24, 2023
…ckets which conntrack consideres invalid. When portmap is used in chain, do likewise. Use container specific IP addresses in rules so that only this rule is removed in cniDel Allow for portmap and ipMasq to co-exist or used independently Fixes containernetworking#816 Signed-off-by: Michael Cambria <[email protected]>
mccv1r0
added a commit
to mccv1r0/plugins
that referenced
this issue
Jan 26, 2023
…ckets which conntrack consideres invalid. When portmap is used in chain, do likewise. Use container specific IP addresses in rules so that only this rule is removed in cniDel Allow for portmap and ipMasq to co-exist or used independently Fixes containernetworking#816 Signed-off-by: Michael Cambria <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
After RST is seen in either direction, conntrack fails to masquerade any packets in flight in the other direction. This leaks the internal IP address used. Users are not happy about it.
The text was updated successfully, but these errors were encountered: