These patches remove the percpu untracked objects, they get replaced with a new (kernel internal) ctinfo state. This avoids reference counter operations for untracked packets and removes the need to check a conntrack for the UNTRACKED status bit before setting connmark, labels, etc. I checked with following rule set and things appear to work as expected (i.e., ssh connections don't show up in conntrack -L): *raw :PREROUTING ACCEPT [455:34825] :OUTPUT ACCEPT [251:29555] [775:63699] -A PREROUTING -p tcp -m tcp --dport 22 -j NOTRACK [251:29555] -A OUTPUT -p tcp -m tcp --sport 22 -j NOTRACK COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP [337:26377] -A INPUT -p tcp -m conntrack --ctstate UNTRACKED -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate UNTRACKED [102:13883] -A OUTPUT -p tcp -m conntrack --ctstate UNTRACKED -m tcp --sport 22 -j ACCEPT [0:0] -A OUTPUT -m conntrack --ctstate UNTRACKED COMMIT -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
