----- "Chris Friesen" <chris.friesen@xxxxxxxxxxx> wrote: ----- > We've got a scenario where we want to use CONNMARK to mark connections > that have passed a large number of rules in order to allow packets > from those connections to skip rules in the future (for performance > reasons). > > However, when we add new rules we want to ensure that all the > connections need to pass the new rules as well. > > It has been proposed to add a custom patch to clear the mark for all > marked connections--is there a better way of doing this? > > I thought maybe we could use the CONNMARK as a generation count and > bumping it up each time a rule is added. This would require updating > the bypass rule each time we modify the other rules though. If there > are better options I'd like to hear them. Using conntrack-tools might help: conntrack --update --mark 0 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
