Hi, Sven. You can disable conntrack at all by removing of the module. Also you can disable conntrack only for specifyed connections with CT target (--notrack option). 2014-04-21 5:22 GMT+04:00 Sven Köhler <sven.koehler@xxxxxxxxx>: > Hi, > > consider the following example: > you have a router between two networks, and you want to cut off the > router from the outside world using some iptables rules. However, all > traffic that is forwarded by the router between the two networks > basically is to be ignored by iptables (i.e., the router does not play > firewall for any of the two networks). > > Currently, if conntrack is loaded on the router, then conntrack -L on > the router lists all the connections, not only those to and from the > router, but also all connections between the two. Certainly, it takes > some CPU cycles for the router to keep track of all the connections. > Also, the number of connections that conntrack can take of is limited. > > So is there a way to let Linux "bypass" conntrack and maybe other > netfilter stuff when it comes to forwarded packets? > > > Kind Regards, > Sven > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Anton. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
