On Friday 07 October 2005 19:08, Patrick McHardy wrote:
I don't know about other distributions but SUSE at some point
found that some web benchmarks dramatically improved in the default configuration when local conntrack was off. It was off then since ever.
When an ICMP error is send by the firewall itself, the inner
packet needs to be restored to its original state. That means
both DNAT and SNAT which might have been applied need to be
reversed. DNAT is reversed at places where we usually do
SNAT (POST_ROUTING), SNAT is reversed where usually DNAT is
done (PRE_ROUTING/LOCAL_OUT). Since locally generated packets
never go through PRE_ROUTING, it is done in LOCAL_OUT, which
required enabling NAT in LOCAL_OUT unconditionally. It might
be possible to move this to some different hook, I didn't
investigate it.
This sounds wrong anyways. You shouldn't be touching conntrack state for ICMPs generated by routers because they can be temporary errors (e.g. during a routing flap when the route moves). Only safe way to handle this is to wait for the timeout which doesn't need local handling. And the firewall cannot be an endhost here.