Hi, Just a followed up after including your ctnetlink update in the last upstream pull request for net-next. I think you already mentioned, but it should be possible to extend the conntrack utility to support for kernel side filtering seamlessly. The idea is to keep the userspace filtering as a fallback, regardless the kernel supports for CTA_FILTER or not. I'm missing one feature in the CTA_FILTER, that is the netmask filtering for IP addresses. It would be also good to make this fit into libnetfilter_conntrack. Probably this patch can be extended to include two objects, the conntrack object that represents the exact matching (values) and another one that represent the mask: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200129094719.670-1-romain.bellan@xxxxxxxxxx/ The mask object would only work for the IP address and mark. Probably rename NFCT_FILTER_DUMP_TUPLE to NFCT_FILTER_DUMP, which would provide the most generic version to request kernel side filtering. Thanks.
