Hello, Petr Chmelar a écrit : > > We would like to use Ulogd's NFCT input for intelligent netflow-based > statistics reporting. The problem is that the netfilter_conntrack > doesn't process connections that don't go through the system (we have > noticed and found in man conntrack /TABLES), which we need to process > because of sniffing in promisc mode (we have forwarded traffic from > different vlans). This doesn't work even when we do something like: > iptables -I PREROUTING -i eth9.10 -t raw -j CT >From reading the manpage, I do not think that CT without any option does anything. > In fact we're looking for an opposite of NOTRACK. Do you have any idea > how to setup or recompile the libnetfilter_conntrack or similar (ulogd2) > so we get also flows not destined for the system? IMO, you are looking in the wrong direction. The whole netfilter (not only conntrack) won't process packets not destined to the host because these packets do no reach the IP layer. A workaround may be to use a bridge with bridge-nf-call-iptables enabled. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
