On Thu, Jul 2, 2009 at 6:04 PM, Thomas Jacob<jacob@xxxxxxxxxxxxx> wrote: > On Thu, 2009-07-02 at 17:06 +0100, Terry Burton wrote: >> Thanks, but my issue isn't with firewalling, rather that I'd like this >> traffic to avoid the conntrack table altogether to avoid system load. > > Still it's a way to disable conntracking for just one interface, right? > > The raw table is evaluated before the connection tracking code. In fact > being able to do stuff before the connection tracking code is called > is the raison d'être of the raw tables. My bad - I hadn't taken the time to understand your reply an didn't appreciate the relationship between connection tracking and the raw table. >> As soon as I bind the (unaddressed) interface into the bridge the >> packets are conntracked. > > Oh yes, sorry, I didn't read you email correctly, you are bridging > packets thru your box so the conntrack code gets to see them. Don't > know if the above will still work under these circumstances, just > try it out. It works great when you use the bridge interface name: iptables -t raw -A PREROUTING -i breth1 -j NOTRACK Thank you very much for the rapid help! All the best, Terry -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
