Eric Dumazet a écrit : > > This really sounds very strange, layering violation or something. Isn't the whole bridge-netfilter concept already a layering violation by design ? > You mix conntracking, bridge and vlan here. > > Why setups without bridge should not care of vlan + conntracking side > effects ? Because without bridge, the host is attached at the IP layer level to the VLANs, so their IP ranges are not supposed to overlap. Anyway your objection applies to hosts with multiple bridges without VLAN so the bridges may see overlapping IP ranges. Conntrack zones with a dedicated target seems a more generic approach. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
