On Thu, Nov 26, 2015 at 04:25:28PM +0000, Patrick McHardy wrote:
> > This doesn't sound so complicated to me:
> >
> > add rule filter prerouting \
> > ip protocol { tcp, udp, sctp } track
> >
> > You just specify what you need for stateful tracking.
>
> Sure, or "filter prerouting track" for everything. Let's stay at that
> example because it will be a common case and we don't know anything about
> protocols.
>
> > The case above you indicate is enabling conntrack for all packets, the
> > -j CT --track is what should govern this IMO.
>
> How does it prevent exactly that case we're talking about - someone is
> saying "CT --track" without further qualification and means "track
> everything".
That indeed means to me track everything based on what conntrack knows
how to track.
> And the SCTP connection tracking module is not available or not
> loaded.
If the module is not available, then this is a custom kernel
compilation. IMO we should focus on providing good defaults to typical
kernel that are included by most distributors.
If the SCTP tracker becomes part of nf_conntrack by default, then we
don't have to worry about the "SCTP module not loaded" case.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
