We have a router on 7.12.1 and we had a DNAT NETMAP rule that when disabled was still passing (and NATing) a small amount of traffic. It wasn’t until the rule was completely deleted that the behavior stopped. Has anyone else experienced this?
When fasttrack is active for certain connection, then most of packets belonging to that connection won’t be processed by normal firewall rules, instead they will be handled by special (fasttrack) functions. Which means that changing rules won’t affect the connection. You have to remove “infringing” connections from connection tracking list. New connections will be hitting the new set of rules though.
And this principle applies to NAT rules as well.
How bout a reboot? Would that do it??
What mkx said is not just applicable for fasttrack. When connections are tracked, the src/dstnat translation is attached to the conntrack entry, and the NAT rules are not even consulted for later packets. This is what people usually observe.
The same can be seen for other situations when conntrack state is used, e.g. if you have an established winbox connection, and delete the rule allowing it, due to the standard established/related rule the connection will continue to be allowed, even though new connections will not be successful.
Correct, what lurker888 said: already active (& tracked) dialogues will continue to work until they finish/expire/timeout.
Which also means that it wasn’t the OP’s deleting the already-disabled rule that made the traffic stop. That was merely coincidental timing.