Hi Pablo, On 12-12-24 08:12 AM, Pablo Neira Ayuso wrote:
conntrack needs to see defragmented packets, you have to call nf_defrag_ipv4 / _ipv6 respectively before that.
This should not be too hard to do - although my thinking says this should be a separate action.
This also changes the semantics of the raw table in iptables since it will now see packet with conntrack already attached. So this would also break -j CT --notrack.
Is there a flag we can check which says a flow is not to be tracked? Doesnt nf_conntrack_in() fail if --no track is set?
This needs more thinking. I can appreciate the value of calling conntrack from different points of the packet traversal, but there are a couple of thing we have to resolve before allowing that.
There is user need for this Pablo - as you can see from what Felix deployed it seems to be used a lot more wider audience dependency. What do we need to do to get this to work properly? cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
