Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> writes: > I believe that nf_conntrack deliberately does not use interfaces > as tuple parts because packets may very well come in on > and/or leave on different interfaces (routing on fwmark). As a reminder, this makes it very important that Linux firewalls have rp_filter set to true -- or that they drop packets coming in on the "wrong" interface BEFORE the customary -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT /Benny -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
