Hi Daniel, On Thu, May 07, 2015 at 02:01:11PM +0200, Daniel Borkmann wrote: > ... > >>>Another question is if it makes sense to have part of the flows using > >>>your flextuple idea while some others not, ie. > >>> > >>> -s x.y.z.w/24 -j CT --flextuple original > >>> > >>>so shouldn't this be a global switch that includes the skb->mark > >>>only for packets coming in the original direction? > >> > >>I first thought about a global sysctl switch, but eventually found > >>this config possibility from iptables side much cleaner resp. better > >>integrated. I think if the environment is correctly configured for > >>that, such a partial flextuple scenario works, too. > > > >This is consuming two ct status bits, these are exposed to userspace, > >and we have a limited number of bits there. The one in the original > >direction might be justified for the SNAT case in the specific > >scenario that you show. > > Okay, agreed. I will respin the set with --flextuple ORIGINAL direction > allowed where we'd for now only consume a single status bit. If later > on there's a need to extend this for REPLY (or even hybrid), we still > have the option to extend it. I would like to know if it makes sense to add this later on. Would you elaborate a useful DNAT scenario where this can be useful? Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
