Patrick McHardy <kaber@xxxxxxxxx> wrote: > The way I see it we basically have two options for fixing this: > > * disable the generic protocol entirely That was the original v1 patch, BUT that means that we do not support NAT for protocols without l4 tracker anymore (which is why we did not remove generic protocol). > * add a helper for every protocol for which we support matching on the identity > of a flow and load the helper automatically when conntrack is enabled and > the match is used. Yes, but that might take a while. The existing way (skip if module) is a compromise to attempt to not break existing setups. If e.g. SCTP=n and user has -p sctp --dport 42 -j ACCEPT then all sctp packets will match the generic entry for sctp, i.e. the --dport 42 is redundant if an ESTABLISHED accept catchall is used. Thats not nice, but the alternative is to break things when NAT is used for that protocol... If we have SCTP=n and its not loaded, we skip the generic tracker and users need to load the extra module. Granted, that breaks things as well in some cases, but at least thats fixable without 'rebuild kernel'... -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
