Hi, We've got a scenario where we want to use CONNMARK to mark connections that have passed a large number of rules in order to allow packets from those connections to skip rules in the future (for performance reasons). However, when we add new rules we want to ensure that all the connections need to pass the new rules as well. It has been proposed to add a custom patch to clear the mark for all marked connections--is there a better way of doing this? I thought maybe we could use the CONNMARK as a generation count and bumping it up each time a rule is added. This would require updating the bypass rule each time we modify the other rules though. If there are better options I'd like to hear them. Thanks, Chris -- Chris Friesen Software Developer GENBAND chris.friesen@xxxxxxxxxxx www.genband.com -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
