mudrunka@xxxxxxxxx <mudrunka@xxxxxxxxx> wrote:
> >It would be super useful if one can simply use "-j CT --notrack" in
> >INPUT and FORWARD. (it already works in OUTPUT)
> >
> >If it's impossible to postpone conntrack after routing decision, it
> >might be possible to add some macro that would match any of local
> >adresses that are currently on any of interfaces. like "--src local"
> >or "--dst local".
conntrack hook is in PREROUTING so by time INPUT/FORWARD hooks are
invokes conntrack already picked the packet up.
> >with all these adresses parsed from "ip a s". But that's far from
> >being elegant or reliable.
I suggest to use the addrtype match for this:
addrtype --dst-type LOCAL should do what you want.
> >I am planning to switch over to nftables, so it might be another
> >solution...
> >Is this planned to be fixed in nftables? If not can you please
> >consider fixing it?
The fib expression can be used in nft. ("fib daddr type local").
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
