Hi Pablo,
On 05/06/2015 08:50 PM, Pablo Neira Ayuso wrote:
On Wed, May 06, 2015 at 08:00:42PM +0200, Daniel Borkmann wrote:
On 05/06/2015 04:27 PM, Pablo Neira Ayuso wrote:
[...]
Thanks for your feedback!
...
Another question is if it makes sense to have part of the flows using
your flextuple idea while some others not, ie.
-s x.y.z.w/24 -j CT --flextuple original
so shouldn't this be a global switch that includes the skb->mark
only for packets coming in the original direction?
I first thought about a global sysctl switch, but eventually found
this config possibility from iptables side much cleaner resp. better
integrated. I think if the environment is correctly configured for
that, such a partial flextuple scenario works, too.
This is consuming two ct status bits, these are exposed to userspace,
and we have a limited number of bits there. The one in the original
direction might be justified for the SNAT case in the specific
scenario that you show.
Okay, agreed. I will respin the set with --flextuple ORIGINAL direction
allowed where we'd for now only consume a single status bit. If later
on there's a need to extend this for REPLY (or even hybrid), we still
have the option to extend it.
Thanks,
Daniel
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
