On Thu, Jul 2, 2009 at 4:26 PM, Thomas Jacob<jacob@xxxxxxxxxxxxx> wrote: > On Thu, 2009-07-02 at 16:10 +0100, Terry Burton wrote: >> Is it possible to disable connection tracking for a specific interface/bridge? > > Check out: > > NOTRACK > This target disables connection tracking for all packets matching > that rule. > > It can only be used in the > raw table. Hi Thomas, Thanks, but my issue isn't with firewalling, rather that I'd like this traffic to avoid the conntrack table altogether to avoid system load. >> The particular scenario is that I have a secondary interface that >> collecting the traffic from a SPAN/mirror port on a busy router. This >> interface is enslaved into a bridge along with the virtual interfaces >> of a some analyser virtual machines, using setageing=0 so that the >> frames are forwarded to all VMs. >> >> I would rather not have the traffic that originates from the capture >> interface hitting the connection tracking code, if possible. > > Understandable, but does that actually happen for you? > > I do not get any conntrack entries from mirrored ports when > I am port mirroring packets onto a Linux interface that is up > but has no configured addresses. > > As long as these packets are not addressed to your machine the netfilter > code never gets to see them, AFAIK. As soon as I bind the (unaddressed) interface into the bridge the packets are conntracked. Thanks, Terry -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
