I know that a rule in raw can prevent a packet from being processed by contrack.. I wonder if it could also identify which contrack table it should go in. This problem first came up when using contrack for some extra iptables rules with multiple bridges but where different bridges had clients with the same IP address. I used to think Mac addresses would need to be part of the contrack key and did some trial work on that but now I realise that multiple named or numbered conntrack tables would be better. I don't need this feature now but it does seem like a good idea. Sam -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html